OC
OpenClaw
Dashboard

openclaw-dashboard-remote-access.md

/home/ubuntu/.openclaw/workspace/docs/openclaw-dashboard-remote-access.md
Back

OpenClaw Dashboard: always-on service + Tailscale access (EC2)

This documents how the openclaw-dashboard Next.js app is run on the EC2 instance as a background service and accessed securely from anywhere over Tailscale (no SSH port-forwarding).

Goals

  • Dashboard runs continuously on the EC2 instance (survives reboot)
  • Dashboard is not publicly exposed on the internet
  • Access is via a stable Tailscale HTTPS URL (tailnet-only)

Repo

  • Path: ~/projects/openclaw-dashboard
  • Next.js ports (from package.json):
    • Dev: next dev -p 3001
    • Prod: next start -p 3579

This setup uses production mode on port 3579.

1) Dashboard as a systemd service

Systemd unit:

  • File: /etc/systemd/system/openclaw-dashboard.service
  • Runs as user: ubuntu
  • Working directory: /home/ubuntu/projects/openclaw-dashboard
  • Binds dashboard to localhost only: 127.0.0.1:3579

Unit contents:

[Unit]
Description=OpenClaw Dashboard (Next.js)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=ubuntu
WorkingDirectory=/home/ubuntu/projects/openclaw-dashboard
Environment=NODE_ENV=production

# Build on (re)start to ensure .next exists.
ExecStartPre=/usr/bin/npm run build
ExecStart=/home/ubuntu/projects/openclaw-dashboard/node_modules/.bin/next start -H 127.0.0.1 -p 3579
Restart=on-failure
RestartSec=3

# Hardening (lightweight)
NoNewPrivileges=true
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Enable + start:

sudo systemctl daemon-reload
sudo systemctl enable --now openclaw-dashboard

Check status/logs:

sudo systemctl status openclaw-dashboard
sudo journalctl -u openclaw-dashboard -f

Local health check:

curl -I http://127.0.0.1:3579

2) Tailscale install + login (EC2)

Install and start tailscaled:

curl -fsSL https://tailscale.com/install.sh | sh
sudo systemctl enable --now tailscaled

Bring the node into your tailnet:

sudo tailscale up --ssh --accept-dns=true

This prints a login URL. Open it in your browser and authenticate.

Confirm it has a Tailscale IP:

tailscale status
tailscale ip -4

Shields-up note

We want inbound tailnet access to work. If you ever enabled “shields up”, it blocks inbound connections.

sudo tailscale set --shields-up=false

3) Tailscale Serve (tailnet-only HTTPS)

We use Tailscale Serve to proxy HTTPS on the tailnet hostname to the local Next server on 127.0.0.1:3579.

Enable Serve in the admin console if needed (Tailscale provides a link).

Set up Serve (background):

sudo tailscale serve reset
sudo tailscale serve --bg --https=443 http://127.0.0.1:3579
sudo tailscale serve status

You’ll see a line like:

  • https://openclaw.tail18850e.ts.net/proxy http://127.0.0.1:3579

This URL is tailnet-only and uses HTTPS.

Disable Serve:

sudo tailscale serve --https=443 off

Troubleshooting

The HTTPS hostname changed after renaming the device

If you rename the machine in the Tailscale admin console (e.g. to openclaw), the tailnet hostname changes.

Sometimes Serve remains bound to the old hostname. Fix by resetting and re-applying Serve:

sudo tailscale serve reset
sudo tailscale serve --bg --https=443 http://127.0.0.1:3579
sudo tailscale serve status

Dashboard not loading from laptop

  1. Confirm your laptop is also on Tailscale.
  2. Confirm Serve is active:
sudo tailscale serve status
  1. Confirm dashboard is up locally on the EC2:
curl -I http://127.0.0.1:3579
sudo systemctl status openclaw-dashboard

Browser caching / redirects

After changing Serve/hostnames, try:

  • hard refresh
  • incognito window
  • ensure a trailing slash: https://openclaw.tail18850e.ts.net/

Quick reference

  • Dashboard service:

    • sudo systemctl restart openclaw-dashboard
    • sudo journalctl -u openclaw-dashboard -f

  • Tailscale:

    • tailscale status
    • sudo tailscale serve status
    • sudo tailscale serve reset