Securely Access OpenClaw with Workers VPC

You might have already bought a Mac Mini or you might have already been running your Open Claw instance on a local hardware or maybe a VPS and then you saw this video or maybe this video where you learned that you can deploy OpenCloud on Cloudflare's global network and you are regretting it. Well, don't worry if you have already bought a Mac Mini or you are already running your open claw instance on your own hardware. In this video, I am going to show you how I am using my open claw instance running on Raspberry Pi and securely accessing it through Cloudfare workers. To give you a quick demo, let's just ask Open CL itself where it is running. And as you can see, it says that it is running on a Raspberry Pi. This is fantastic. Now, I'm not going to show you how to install OpenClaw on Raspberry Pi. I already have written a detailed article on this step by step. In this video, I want to show you how you can access your open claw instance from anywhere around the world via workers VPC. Workers VPC allows you to connect your worker application to connect to any of your private application running in an external cloud service or in my case Raspberry Pi. Workers VPC is the bridge between my locally running Raspberry Pi and my workers application. To get started with a worker's VPC application, head on to your CloudFare dashboard and go to compute and then select VPC. I already have a test service, but I'm going to create a new one. And to do that, I'll click on create VPC service and create a new tunnel. I'm going to call it openclaw demo and then click on create tunnel. And this is going to take me through the steps of configuring and installing tunnel on my Raspberry Pi. Now I'm going to uh select DBN and then ARM 64 because this is the architecture for my Raspberry Pi and I will be now copying the commands shown in the dashboard and executing them on my Pi. All right, now that Cloud ID is installed, I'm going to go and install the service. So I'm going to copy this command and paste it in here. Now one thing you want to make sure is the install service command has a token. This token should not be shared with anyone. So make sure you don't expose this token anywhere. Once the service is successfully installed, you can see the connection status on the cloud dashboard has turned green. We can click on continue and see that our tunnel has the status healthy. Let's go back to our workers VPC and now create the VPC service. I'm going to call it open claw video and select the tunnel that I just created. In this field, I will configure local host as my host and I need to set up a custom port. Since open claw runs on port 18789, I'm going to click on create service and this is going to create the VPC service for me. Now that I have this VPC service, I can copy the service ID which we will need later on in the video. Now before we move forward, let's try and understand the architecture. What we going to do is we are going to access open clock through a URL and hence we need a browser. We're going to make a request to that URL through the browser and that request is going to go and flow through access. Now we haven't configured cloudfare access yet. We're going to do it later on. But access is going to prevent anyone else apart from me to access my OpenClaw instance. Once I have access configured and I am uh logged in, I can access the worker application. Now this worker application is connected to my open claw instance through workers VPC. Quite interesting, right? Now so far we have open claw running on a raspberry pi and we have also configured a cloudfare workers VPC. Let's go ahead and create a worker which we are going to use then to access our open glow instance. Now you can go ahead and create a completely new workers application. But if you want to just get started quickly, I already have a repo that you can clone. Now in this video I am going to use this repo. So I'm going to clone this repo. Now I'm going to clone this repo on my local machine. I'm going to call this repo demo openclaw. Now that the repo is created, let's cd into that and install the packages. All right. Now let's take a look at the code. Now this is a cloudfare worker application and here is the wrangler.json file. Now this is where we are going to configure our VPC service. As you can see, I already have the binding in here. All you have to do is replace the service ID with the service ID you copied earlier. Now, if we go to our source index.ts file, we can see the code in here. Now, this application is using hono for the routing. Now, as I mentioned, we are going to use cloudfare access to make sure no one else can access our open crow instance. And for that I have also created a middleware which is going to do a JWT validation as well for I have just commented this out because we want to test it out locally first. Now over here is a talk endpoint which you can use if you want to configure it uh to run it with something like a series shortcut. Now similar to the dock endpoint I have a v1 chat completion endpoint. This is again taking the user input sending it to our open claw instance and giving the response back. This endpoint is being also used in our custom chat interface which lives in the public directory. The next endpoint is the tool invocation endpoint. It allows you to call any tools that you have configured in your open claw instance. The rest of these endpoints they basically proxy open clause control UI through a worker. Now instead of uh navigating open claw through an IP address which would only work if you are on the same network you can access open claw's uh control UI from your worker's URL as well. Now to make this work with open claw you need to make sure that you have your open claw gateway token configured and make sure you get that gateway token as well. Once you have the gateway token created, make sure you copy it. And well, if you're not sure how to get your gateway token, you can SSH into your Raspberry Pi and run the command. I'll also share the link of this detailed step-by-step guide in the video description. I have configured my open clock gateway token and I'm going to start the local server with npm rundev. Now, because I am using multiple accounts, it is going to ask me which account I want this worker to be associated with. And I'm going to go with my free demo account because this is the account where I created the VPC service. As you can see, our worker is running on localhost 8788. So, I can navigate to it. And now I can see open clause control UI available on localhost 8788. Well, if you are also running into this error, don't worry. All you have to do is update your gateways configuration and add the URL to allow original rest. While this is giving us an error, let's check out our custom uh chat interface. Now, in here is the custom chat interface. And I'm going to simply type a message. And as we can see, we get a message back from our open claw agent. Isn't this fantastic? So I don't have to now use the default chat interface or even configure any channels. I can deploy this application and use it wherever I want. So the next step is to deploy it. Now to deploy it, I am going to run the command npm deploy. And this is going to deploy it for me. All right. So my open core instance is up and running on this URL. However, I still need to configure my gateway token for my production application. I can run the command npx wrangler secret bulk env. And this is going to and this is going to take the environment variables from our envu. So now if I go on to this URL, I still see the error for my control UI, which is fine because I still haven't configured it in the allowed origin list. But I can go ahead and access the chat interface and start chatting over here. Awesome. And as you can see, we got a response back from our agent. This is fantastic, isn't it? So now using this URL, I can access my open claw instance or my open claw agent from anywhere. However, there is still a huge risk because I still haven't enabled Cloudflare access. Anyone with this URL can interact with my OpenClaw instance, which is obviously dangerous. So, let's go ahead and change that. I'm going to come back to my CloudFare dashboard and navigate to my newly deployed application. The first thing I want to do is go to settings. Click on the three dots and enable Cloudfare access. Once this is enabled, make sure you copy this AUD and take a note of your URL in here. This is what we need to configure as well. So, I'm going to click on dismiss. Now, in the variables and secrets section, I'm going to edit this variable that is policy AUD. Click on rotate and paste the AUD that we copied from the earlier step and then click on deploy. While this deploys, let's go back to our code and update our team domain over here. For me, this was cf herself. For you, it might be different. So, in your Wrangler file, update the team domain. Save this and go back to your index.ts file and uncomment the middleware usage over here. I'm going to click on save. come back to my terminal and run npm run deploy. Now, as you can see, the team name on our dashboard is different to what we configured and we want to use the one that we configured locally. So, I'm going to go with yes, and this is going to update the team name on my deployed application. Now while you already have access enabled, you don't really need to have the JWT validation middleware. I have added the middleware to make sure that if I want to access the text or the chat completion endpoint. It still goes through a secure way of accessing those application got redeployed. So I can go over to this URL and as you can see now I get the login screen over here. Now I'll enter my email address which is configured with my Cloudfare account. You can also update your Cloudfare Access policy to add more email addresses. Now the email addresses you add in there will be able to use your worker application. I got the code on my email address. I'm going to enter it and sign in. And now I have access to my app. I can again navigate to the chat endpoint and start talking. Well, we got a response back again from our open claw agent. Well, let's recall on what we saw today. Just like you, I am running open claw on a hardware. For me, it's a Raspberry Pi. Now, the limitation over here is that I can only access it on my local network. If I am commuting or out of range of my home network, I would not be able to use it. And a way to make it accessible for me from anywhere across the globe, I am using workers VPC. Now workers VPC sits between my uh locally running Open CL instance and my CloudFare worker application. And also to make sure that only I am authorized to use this application, I configured Cloudfare access in there. Now I have the step-by-step guide again for this on the blog which I'm going to link it in the description. Now, if you're very new to open claw and just trying it out, I would suggest trying it out via mold worker. My colleagues have created step-by-step guide and explainers on what it is and how you can deploy open claw on cloudfare infrastructure. While this was my setup for OpenClaw, I would love to know from you how you are using OpenClaw, where are you running it and how are you making sure it is secure enough. See you until next