Opengram

Tailscale

Use Tailscale to expose Opengram over HTTPS with zero configuration.

Tailscale is the recommended and simplest path to HTTPS for Opengram. It provides automatic TLS certificates for your tailnet hostname with no port forwarding, no certificate management, and no reverse proxy required.

Prerequisites

  • Tailscale installed on the machine running Opengram
  • MagicDNS enabled in your tailnet (enabled by default on new tailnets)
  • HTTPS certificates enabled in the Tailscale admin console under DNS > HTTPS Certificates

Determine your hostname

Find your machine's Tailscale hostname:

tailscale status

Your hostname will look something like my-server.tail1234.ts.net.

If you run opengram init on a machine with Tailscale, the setup wizard automatically detects your hostname and pre-fills the public URL for you.

Option A: Tailscale HTTPS forwarding

The simplest approach -- Tailscale terminates TLS and forwards traffic to Opengram:

tailscale serve --https=443 http://127.0.0.1:3000

This makes Opengram available at https://<hostname>.ts.net for all devices on your tailnet. Tailscale handles certificate provisioning and renewal automatically. The serve configuration is persistent across reboots, so you only need to run this command once.

To verify it is working:

tailscale serve status

Option B: Get a certificate for your own proxy

If you prefer to use your own reverse proxy (for example, to add custom headers or serve multiple services), you can obtain a Tailscale-issued certificate:

tailscale cert <hostname>.ts.net

This writes a certificate and private key to the current directory. You can then configure Caddy, nginx, or another reverse proxy to use these files for TLS termination.

Configure the public base URL

Update your opengram.config.json to use the Tailscale hostname:

{
  "server": {
    "publicBaseUrl": "https://<hostname>.ts.net"
  }
}

Replace <hostname>.ts.net with your actual Tailscale hostname.

Alternatively, you can set the OPENGRAM_PUBLIC_BASE_URL environment variable instead of editing the config file. This is useful for Docker deployments:

OPENGRAM_PUBLIC_BASE_URL=https://<hostname>.ts.net

Restart Opengram

After updating the configuration, restart Opengram for the change to take effect:

opengram restart

Or if running with Docker:

docker restart opengram

Exposing to the public internet

By default, tailscale serve only makes Opengram accessible to devices on your tailnet. If you need public access (for example, to receive webhook callbacks from external services), you can use Tailscale Funnel:

tailscale funnel --https=443 http://127.0.0.1:3000

Funnel exposes the service to the public internet at https://<hostname>.ts.net. Make sure you have an instance secret configured before enabling Funnel to protect your API.

OpenClaw Plugin

Connect OpenClaw AI agents to Opengram using the official plugin.

Docker

Run Opengram as a Docker container with persistent data, config mounting, and health checks.

On this page

PrerequisitesDetermine your hostnameOption A: Tailscale HTTPS forwardingOption B: Get a certificate for your own proxyConfigure the public base URLRestart OpengramExposing to the public internet