security

Keep OpenClaw Local Only

Learn how to configure OpenClaw for maximum security by keeping all traffic local to your computer. Prevent external access and protect your data.

6 min read
Updated 2026-02-03

What "Local Only" Means

When OpenClaw runs in "local only" mode, it only accepts connections from your own computer. No other device on your network, and no one on the internet, can access your OpenClaw gateway.

Default is Already Local

Good news: OpenClaw runs in local-only mode by default. This guide helps you verify this setting and understand why it matters.

Why Keep It Local?

Security Benefits

  1. No external attack surface - Hackers cannot reach your gateway from the internet
  2. No network exposure - Other devices on your WiFi cannot access it
  3. Simpler security - Fewer things to configure and monitor

Privacy Benefits

  1. Data stays on your machine - Until you send it to the AI provider
  2. No unexpected access - Only you control when messages are sent
  3. Full visibility - You know exactly what is running

Verifying Local-Only Mode

Check Gateway Binding

bash
openclaw config get gateway.bind_address

Expected Result

127.0.0.1

What the addresses mean:

  • 127.0.0.1 - Local only (safe)
  • 0.0.0.0 - All interfaces (exposed to network)
  • Specific IP like 192.168.1.x - Exposed to that network

Check Listening Ports

bash
openclaw status --detailed

Expected Result

Gateway: Status: running Bind: 127.0.0.1:18789 External access: disabled

Verify with System Tools

On macOS/Linux:

bash
lsof -i :18789

Expected Result

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME node 12345 user 20u IPv4 0x1234 0t0 TCP 127.0.0.1:18789 (LISTEN)

The key is seeing 127.0.0.1 not * or 0.0.0.0.

On Windows (PowerShell):

powershell
netstat -an | findstr 18789

Expected Result

TCP 127.0.0.1:18789 0.0.0.0:0 LISTENING

Ensuring Local-Only Configuration

Set the Bind Address

If your gateway is not bound to localhost, fix it:

bash
openclaw config set gateway.bind_address 127.0.0.1
openclaw gateway restart

Disable External Access Flag

bash
openclaw config set gateway.allow_external false

Disable Network Discovery

bash
openclaw config set gateway.announce false

This prevents OpenClaw from broadcasting its presence on the network.

Firewall Configuration

Even with local-only mode, adding firewall rules provides defense in depth.

macOS

macOS has a built-in application firewall:

  1. Open System Settings (or System Preferences on older versions)
  2. Go to Network > Firewall
  3. Click Options
  4. Ensure "Block all incoming connections" is enabled, or
  5. Add OpenClaw/Node to the list of blocked applications for incoming connections

Windows

Using Windows Defender Firewall:

powershell
Block incoming connections to OpenClaw port
New-NetFirewallRule -DisplayName "Block OpenClaw External" -Direction Inbound -LocalPort 18789 -Protocol TCP -Action Block -RemoteAddress Any

Or through the GUI:

  1. Open Windows Defender Firewall with Advanced Security
  2. Click Inbound Rules > New Rule
  3. Select Port, click Next
  4. Enter 18789, click Next
  5. Select Block the connection, click Next
  6. Apply to all profiles, click Next
  7. Name it "Block OpenClaw External"

Linux (iptables)

bash
Allow localhost
sudo iptables -A INPUT -p tcp --dport 18789 -s 127.0.0.1 -j ACCEPT
Block everything else
sudo iptables -A INPUT -p tcp --dport 18789 -j DROP

Linux (ufw)

bash
Deny external access to OpenClaw port
sudo ufw deny 18789

Note: This also blocks localhost. For more granular control, use iptables.

What About Messaging Channels?

When you connect Telegram, Discord, or WhatsApp, those connections are outbound (your computer connects to their servers). This is different from the gateway port.

Your Computer                    External Services
┌─────────────────┐              ┌─────────────┐
│  OpenClaw       │──outbound───>│  Telegram   │
│  Gateway        │──outbound───>│  Discord    │
│  (port 18789)   │──outbound───>│  WhatsApp   │
│                 │──outbound───>│  AI Provider│
└─────────────────┘              └─────────────┘
     ▲
     │ localhost only
     │
┌────┴────┐
│ Browser │ (dashboard)
│ or CLI  │
└─────────┘

Key point: Even in local-only mode, OpenClaw makes outbound connections to:

  • Telegram/Discord/WhatsApp servers
  • Your AI provider (Anthropic, OpenAI, etc.)

This is necessary for functionality. The "local only" setting controls inbound access to your gateway.

Testing Your Configuration

Try to Access from Another Device

From another computer or phone on the same network, try:

bash
curl http://YOUR_COMPUTER_IP:18789/

Expected result: Connection refused or timeout (not a response)

Run Security Audit

bash
openclaw security audit --deep

Expected Result

Security Audit Report

[PASS] Gateway bound to localhost only [PASS] External access disabled [PASS] Network announcement disabled [PASS] Firewall protection recommended

Overall: SECURE

When You Might Need Non-Local Access

There are legitimate reasons to allow network access:

  1. Running on a server - Accessing from other machines
  2. Mobile access - Using OpenClaw from your phone
  3. Shared household - Family members using the same installation

If you need network access:

Additional Security Required

If you expose OpenClaw beyond localhost, you MUST implement additional security measures. See the official documentation for secure remote access configuration.

Minimum requirements for network access:

  • Set a strong control token
  • Use TLS encryption
  • Implement IP allowlisting
  • Set up proper authentication

Dashboard Access

The OpenClaw dashboard at http://127.0.0.1:18789/ is only accessible from your computer in local-only mode.

If Dashboard Does Not Load

  1. Check the gateway is running: openclaw status
  2. Verify the bind address: openclaw config get gateway.bind_address
  3. Ensure you are using 127.0.0.1 not your network IP
  4. Check your browser is not using a proxy

Accessing Dashboard Remotely (If Needed)

If you need remote dashboard access while keeping things secure:

Option 1: SSH Tunnel (recommended for technical users)

bash
ssh -L 18789:127.0.0.1:18789 user@your-server

Then access http://127.0.0.1:18789/ on your local machine.

Option 2: VPN

Connect to your home network via VPN, then access the dashboard using your computer's local IP.

Troubleshooting

"Cannot connect to gateway"

If you previously had network access and switched to local-only:

  1. Clear browser cache
  2. Ensure you are using 127.0.0.1 or localhost, not your network IP
  3. Restart the gateway: openclaw gateway restart

"Channel connections failing"

Local-only mode should not affect outbound connections. If channels are not connecting:

  1. Check internet connectivity
  2. Verify channel configuration: openclaw channels status
  3. Check logs: openclaw logs --limit 20

"Health check failing"

bash
openclaw health

If this fails, the gateway might not be running or might be bound to a different address. Check:

bash
openclaw status
openclaw config get gateway.bind_address

Best Practices Summary

  1. Keep default settings - 127.0.0.1 bind address
  2. Verify periodically - Run openclaw security audit
  3. Add firewall rules - Defense in depth
  4. Do not expose unless necessary - Simplicity is security
  5. If you must expose - Use proper authentication and encryption

What To Do Next

  1. Is OpenClaw Safe? - Full security overview
  2. Avoid OpenClaw Scams - Protect yourself online
  3. OpenClaw Glossary - Understand the terminology

Need Help?

If you run into problems not covered here, check our Troubleshooting guide or visit the official OpenClaw documentation.

Last updated: February 3, 2026 | Found an error? Contact us

Related Articles

Security

Avoid OpenClaw Scams

Security

Is OpenClaw Safe? Security Overview