Skip to content

RunOnFlux/openclaw-tailscale

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
start.sh
start.sh
 
 

Repository files navigation

OpenClaw + Tailscale for Flux Cloud

Docker image that bundles OpenClaw with Tailscale using userspace networking — no NET_ADMIN capability required. Designed to run on Flux Cloud where privileged containers are not available.

How it works

Since Flux Cloud does not allow --cap-add=NET_ADMIN or --privileged, Tailscale runs in userspace networking mode (--tun=userspace-networking). Instead of creating a TUN interface, it exposes local SOCKS5 and HTTP proxies that route traffic through the Tailscale network.

Container
+------------------------------------------+
|  tailscaled (userspace networking)       |
|    SOCKS5 proxy  -> localhost:1055       |
|    HTTP proxy    -> localhost:1055       |
|         |                                |
|         +---> Tailscale network (encrypted WireGuard) ---> Your devices
|                                          |
|  openclaw (main process)                 |
+------------------------------------------+

Quick start

docker run \
  -e TAILSCALE_AUTHKEY=tskey-auth-xxxxx \
  -e TAILSCALE_HOSTNAME=my-openclaw \
  runonflux/openclaw-tailscale:latest

Environment variables

Variable Default Description
TAILSCALE_AUTHKEY (required) Tailscale auth key. Generate at Tailscale Admin. Use an ephemeral + reusable key for containers.
TAILSCALE_HOSTNAME openclaw Hostname for the container on your tailnet.
TAILSCALE_EXTRA_ARGS (empty) Additional arguments passed to tailscale up (e.g. --advertise-tags=tag:server).
TAILSCALE_SOCKS5_PORT 1055 SOCKS5 proxy listen port.
TAILSCALE_HTTP_PROXY_PORT 1055 HTTP proxy listen port.

Accessing the Tailscale network

Because userspace networking does not create a network interface, applications must use the proxy to reach other devices on your tailnet:

# Via SOCKS5
curl --socks5 localhost:1055 http://100.64.0.1:8080

# Via HTTP proxy
HTTP_PROXY=http://localhost:1055 curl http://my-server.tail12345.ts.net

Build locally

docker build -t runonflux/openclaw-tailscale:latest .
docker push runonflux/openclaw-tailscale:latest

Automated rebuilds

A GitHub Actions workflow (.github/workflows/rebuild-on-digest-change.yml) checks every 6 hours if the upstream ghcr.io/openclaw/openclaw:latest image has changed. If the digest differs, it automatically rebuilds and pushes a new image.

Required GitHub secrets

Secret Description
DOCKERHUB_USERNAME Docker Hub username
DOCKERHUB_TOKEN Docker Hub access token

The workflow can also be triggered manually via workflow_dispatch.

Project structure

.
├── Dockerfile                                  # OpenClaw + Tailscale image
├── start.sh                                    # Entrypoint: starts tailscaled then openclaw
├── README.md
└── .github/
    └── workflows/
        └── rebuild-on-digest-change.yml        # Auto-rebuild on upstream changes

License

MIT

About

OpenClaw AI for Flux Cloud Network

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages