Tailscale Serve vs Funnel
Tailscale offers two features for sharing local services: Serve (private) and Funnel (public). Understanding the difference is critical for OpenClaw security.
Tailscale Serve (Recommended for OpenClaw)
Serve exposes a local port to other devices on your Tailscale network only. Traffic is encrypted with WireGuard and only accessible to authenticated devices on your tailnet.
tailscale serve https / http://localhost:3000This is the recommended approach for OpenClaw because it keeps your dashboard completely private.
Tailscale Funnel (Use with Extreme Caution)
Funnel exposes a local port to the entire public internet through a Tailscale-managed HTTPS endpoint. While it provides TLS encryption, anyone with the URL can access your service.
tailscale funnel https / http://localhost:3000When to Use Each
| Feature | Serve | Funnel |
|---|---|---|
| Accessibility | Your devices only | Entire internet |
| Authentication | Tailscale identity | None by default |
| OpenClaw Dashboard | Recommended | Not recommended |
| Webhook endpoints | Not suitable | Suitable with auth |
Rule of thumb: Use Serve for the OpenClaw dashboard and internal tools. Only use Funnel for webhook endpoints that external services need to reach, and always implement additional authentication.