OpenClaw 隔离部署（独立 VLAN + Tailscale ACL）硬化清单

用于“想运行 OpenClaw 但不让节点看到主家庭网络”的场景：独立机器 + VLAN 隔离 + Tailnet 精细 ACL，建立最小可达的远程运维链路。

REDDITDiscovered 2026-02-13Author u/OnionPersonal2632

Prerequisites

Router/firewall supports VLAN segmentation and inter-VLAN deny rules (e.g., OPNsense).
A dedicated host is available for OpenClaw (clean OS, no personal account bindings).
Remote admin path (SSH/RDP over Tailscale) is prepared.

Steps

Provision a dedicated host and run OpenClaw in container/runtime isolated from personal workloads.
Place the host in a dedicated VLAN; default-deny all inter-VLAN traffic in both directions.
Allow only required egress to WAN destinations for model/provider access.
Use Tailscale for admin ingress and apply ACLs so management devices can reach node, but node cannot laterally move to tailnet peers.
Run periodic network validation (port scans + route checks) after each config change.

Commands

openclaw gateway status

openclaw gateway restart

# tailscale ACL + firewall rules must be reviewed in staging first

Verify

Management clients can reach OpenClaw admin endpoints, while node-to-LAN and node-to-tailnet lateral traffic remains blocked.

Caveats

This pattern reduces blast radius but is not absolute trustlessness; host compromise can still abuse allowed egress.
ACL semantics and firewall defaults differ by environment; exact rules must be validated per deployment（需验证）.

Source attribution

This tip is aggregated from community/public sources and preserved with attribution.