diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 5fc65aa2c..b9d8685c7 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "71ab341f460e421fde6a3653ace5a44f25acce0b", - "syncedAt": "2026-04-29T21:33:45.893Z" + "sha": "f0f1635f9f56e43edd852783145137de7c23559b", + "syncedAt": "2026-04-29T21:37:39.768Z" } diff --git a/docs/vps.md b/docs/vps.md index f0aecbd34..d58186de4 100644 --- a/docs/vps.md +++ b/docs/vps.md @@ -43,6 +43,21 @@ A community video walkthrough is available at Related pages: [Gateway remote access](/gateway/remote), [Platforms hub](/platforms). +## Harden admin access first + +Before you install OpenClaw on a public VPS, decide how you want to administer +the box itself. + +- If you want Tailnet-only admin access, install Tailscale first, join the VPS + to your tailnet, verify a second SSH session over the Tailscale IP or + MagicDNS name, then restrict public SSH. +- If you are not using Tailscale, apply the equivalent hardening for your SSH + path before exposing more services. +- This is separate from Gateway access. You can still keep OpenClaw bound to + loopback and use an SSH tunnel or Tailscale Serve for the dashboard. + +Tailscale-specific Gateway options live in [Tailscale](/gateway/tailscale). + ## Shared company agent on a VPS Running a single agent for a team is a valid setup when every user is in the same trust boundary and the agent is business-only.