Rate This Document
Findability
Accuracy
Completeness
Readability

Disable Public Network Access, Bind to Local Address, and Prohibit Binding to 0.0.0.0

Do not allow direct public network access. Use a VPN or SSH for remote access instead of exposing ports directly. Changing the binding address to 0.0.0.0 will directly expose the core port 18789 to the public network. Binding to a local address ensures that clients must connect through a secure channel (such as an SSH tunnel), thereby enhancing access control and communication security.

Misconfiguration of OpenClaw may expose its gateway and Chrome DevTools Protocol (CDP) ports to the public network (0.0.0.0), posing a severe security risk. Attackers can exploit these exposed ports to interact with OpenClaw instances without authorization, or even achieve remote code execution (RCE).

Note: Disabling public network access affects communication scenarios with external platforms, such as Feishu, WeChat, WeCom, and WhatsApp. These platforms typically require pushing messages to the server; if public network access is disabled, the corresponding features will become unavailable. In addition, setting gateway.bind to lan will lower the overall security level.

Procedure

Set the network binding mode of the OpenClaw gateway.

openclaw config set gateway.bind loopback