🦞ClawTips
← Back to library

社区蓝图:Raspberry Pi 5 隐私优先 OpenClaw 家庭网关硬化清单

问题/场景:希望在家庭环境长期运行 OpenClaw,同时最小化公网暴露与隐私泄漏。前置条件:ARM64 设备(Pi 5)、NVMe、加密组网(如 Tailscale)、可维护 Linux 主机。实施步骤:最小化系统服务→仅绑定加密接口→默认拒绝入站→将敏感任务路由到本地模型。关键配置:接口绑定、防火墙默认拒绝、SSH 仅密钥。验证:公网不可达、隧道内可控访问、长时间运行无热降频。风险:社区方案需结合本地威胁模型复核。

REDDITDiscovered 2026-02-19Author u/LobsterWeary2675
Prerequisites
  • ARM64 host with active cooling and NVMe storage (SD-only deployments are not recommended for heavy indexing).
  • Overlay network is available and all admin access can be routed through encrypted tunnels.
Steps
  1. Install minimal Debian/ARM64 image and enable unattended security updates before deploying OpenClaw.
  2. Set firewall default policy to deny inbound; allow only overlay interface for SSH/OpenClaw access.
  3. Bind services to encrypted interface only; avoid LAN/WAN listener exposure.
  4. Harden SSH: key-only auth, root login disabled, no forwarding, and verify socket bind address.
  5. Define routing policy: sensitive workloads stay local model tier; cloud tier handles non-sensitive high-compute tasks.
  6. Run periodic security checks (ports, service list, update status) and document drift weekly.
Commands
openclaw gateway status
openclaw status
openclaw gateway restart
Verify

Port scan from LAN/public side finds no exposed OpenClaw service, while tunnel-based admin and messaging control remain functional.

Caveats
  • Post is community-authored; specific package/service names vary by distro and should be validated locally(需验证).
  • Hardening without backup/rollback plan can increase recovery time during incident response.
Source attribution

This tip is aggregated from community/public sources and preserved with attribution.

Open original source ↗
Visit original post