OpenClaw is an AI gateway that sits between your messaging channels—Telegram, Discord, Slack, WhatsApp—and your LLM providers like OpenAI and Anthropic. It's a single long-running process that dispatches messages to agents which call the actual models, with a web dashboard for configuration. That's it. One process, one port, holding three categories of secrets: your LLM API credentials, channel bot tokens, and the dashboard auth token.

Why Self-Hosting? And Why Not

The managed platform argument is real—someone else handles security, scaling, and uptime. But you pay for that in model restrictions, data flow visibility, and per-seat pricing. For teams that need specific models, want infrastructure control, or are tired of SaaS margins, self-hosting makes sense. The catch: security becomes your job. Nobody's patching the host, rotating secrets, or monitoring logs unless you set it up first.

The Four Security Levels

The author breaks deployment into four tiers, each building on the last. Level 1 is personal use—host hardening, firewall, loopback-only gateway for solo access over SSH. Level 2 adds Cloudflare Tunnel plus Access with identity verification for small teams of 2-5 people who trust each other but need browser-based dashboard access. Level 3 introduces secrets manager integration with zero plaintext on disk and systemd hardening for compliance-conscious deployments where API keys can't live in config files. Level 4 targets enterprise: SSO, trusted-proxy auth, device posture checks via WARP, SSH certificates, and infrastructure-as-code governance for teams over five people or regulated environments needing per-user audit trails.

The Risk Surface Nobody Talks About

When your gateway hits a public VPS, expect probes within minutes of going live. The author ranks failure modes by likelihood: open ports getting scanned first, then unauthorized dashboard access if there's no identity-aware proxy in front of it, leaked shared tokens that never get rotated when someone leaves the team, prompt injection where malicious messages trick agents into modifying gateway configs or reading files outside their workspace, and plaintext secrets on disk readable by anyone with file access. The fix isn't any single measure—it's layered defense where each layer fails independently.

Tunnel Options: Cloudflare vs Tailscale

Cloudflare Tunnel plus Access gives you a public hostname protected by identity verification, DDoS absorption at the edge, and CDN distribution. Free tier covers most small teams, but you're moving DNS to Cloudflare and your traffic flows through their infrastructure. Tailscale provides device-to-device access over WireGuard with no public hostname—devices on your tailnet reach each other directly. The tradeoff: every user needs Tailscale installed, and there's no identity-aware edge for URL protection. Great for closed networks where only registered devices can connect. Rolling your own with nginx plus Let's Encrypt is viable for personal use but puts you back in the certificate management and open port business.

Two Traps That Will Waste Your Entire Afternoon

IPv6 on cloud VMs trips up a lot of people. Many cloud instances have public IPv4 but no working IPv6 path, and Node.js defaults to whatever DNS resolves—which often returns an unreachable IPv6 address. The symptom looks like "DNS lookup failed" for your LLM provider endpoint, making you blame IP blocks or try version downgrades when the real issue is a one-line environment variable telling Node to prefer IPv4. Test with curl -4 versus curl -6 before anything else. Second trap: OAuth endpoint paths through bot-mitigation layers that return HTML block pages instead of JSON API responses. The gateway sees non-JSON and reports connection errors, completely masking the real problem. Bypass the gateway entirely with curl and test upstream URLs directly—it cuts through abstraction layers hiding the actual failure.

The Shared Token Problem and When Per-User Auth Actually Matters

At Levels 1-3, OpenClaw uses a shared bearer token for dashboard access—everyone has the same credential, it can't be revoked per user, and there's no audit trail beyond Access logs. That's not enterprise-grade and the author acknowledges it openly. But it's workable: Cloudflare Access authenticates per-user at the edge before anyone reaches the token form, Access logs show who accessed when even with shared credentials, and removing someone from the policy blocks new logins immediately. The shared token protects against anything bypassing Access, not day-to-day access control. Plan migration to trusted-proxy auth around 5-10 users, but don't over-engineer on day one.

When to Graduate to the Next Level

Specific signals matter more than vibes: move from Level 1 to 2 when a second person needs dashboard access or you want browser-based access without SSH forwarding. Move to Level 3 when someone asks about your secrets-at-rest posture for compliance audits, due diligence questionnaires, or you're uncomfortable with plaintext API keys in JSON files. Graduate to Level 4 when you can't track who has the shared token, need per-user audit trails, team exceeds five people, or corporate SSO integration is on the roadmap. The enterprise roadmap covers seven phases: SSO first (biggest single improvement), containerize the tunnel daemon for its own network namespace, flip gateway to trusted-proxy mode, add device posture via WARP, automate secret rotation with alerting, move SSH behind Access with short-lived certificates, then codify everything in Terraform.

Key Takeaways

  • Security is a stack of independent layers—remove any one and you have a single point of failure
  • Start at Level 1 for personal use, level up only when your situation demands it
  • Use tunnels instead of open web ports—your server initiates connections outbound and the edge proxies inbound requests
  • Test upstream URLs directly with curl before blaming gateway configuration for mysterious failures
  • Quarterly access reviews and offboarding runbooks matter more than most security tooling at small scale

The Bottom Line

The best security architecture is one you'll actually maintain. Four layers of independent defense beats a perfect single layer that nobody follows consistently. Start simple, ship early, and level up when the signals tell you it's time—not before.