Quartz 4

Tailscale Hub

8 min read

Tailscale Hub

Tailscale provides the private WireGuard mesh network connecting the Hetzner VPS, EC2 Mac Ultra, and any personal devices (Mac mini, laptops). It serves two distinct roles in OpenClaw: (1) Tailscale Funnel — a fallback public webhook path (srv1347501.tailb025a7.ts.net) when the Cloudflare Tunnel is down; (2) MagicDNS + SSH — private node-to-node connectivity for the VPS→Mac Ultra SSH pattern that all InvestorLift scraping requires. Read this hub before making any tunnel/funnel changes, adding new nodes, or modifying the Mac Ultra Tailscale daemon.

⚠️ SOURCE MISSING

No workspace/knowledge-base/tailscale/ directory exists. This hub is authored entirely from CLAUDE.md, workspace/FUNNEL-REGISTRY.md, and the Wave 1 cloudflare + aws hubs. G-KB-SYNC-WITH-CLAUDEMD gap: tailscale platform is not listed in CLAUDE.md §Platforms with KB docs. Create a KB stub before any significant Tailscale API work.

Quick reference

FieldValue
VendorTailscale Inc.
URLhttps://login.tailscale.com
KB docSOURCE MISSING — no workspace/knowledge-base/tailscale/ directory
Auth methodOAuth (admin console) + Auth key (node provisioning)
Auth credentialop://Aurora/tailscale/auth-key
Cred-proxy portn/a
Webhook portn/a (Tailscale is the network layer, not a webhook source)
Webhook handlern/a
Webhook dedup tablen/a
Tunnel pathTailscale Funnel: srv1347501.tailb025a7.ts.net (fallback only)
Outbound API basehttps://api.tailscale.com/api/v2
Rate limitsNEEDS VERIFICATION — no KB doc exists
Rate-limit actionNEEDS VERIFICATION
CostFree for personal/small teams; Teams plan for larger tailnets — NEEDS VERIFICATION
Backup/recoveryMagicDNS hostnames persist across reboots via LaunchDaemon on Mac Ultra; Tailscale state file on VPS
Discord alert channelops
Drift cadenceManual; no automated Tailscale health check currently wired
Statusproduction

Role 1: Tailscale Funnel — fallback public webhook path

Architecture: Cloudflare Tunnel (canonical) vs Tailscale Funnel (fallback)

OpenClaw uses Cloudflare Tunnel (webhook.reri.co) as the canonical path for all inbound webhooks. Tailscale Funnel is the instant rollback path only — providers are NOT currently registered to the Funnel URL. It is kept active and unadvertised.

CANONICAL (normal operation):
  Internet → webhook.reri.co (CF Tunnel v19, ID 849121e5-...) → :18790 / :18792 / :18793 / :18797

FALLBACK (CF Tunnel down):
  Internet → srv1347501.tailb025a7.ts.net (Tailscale Funnel)
           → same handler ports
  ⚠️ Provider webhook URLs must be manually updated to Funnel URL before traffic flows

Key distinction — Tunnel vs Funnel:

Cloudflare TunnelTailscale Funnel
DNS namewebhook.reri.cosrv1347501.tailb025a7.ts.net
StatusCanonical — all providers registeredFallback — unadvertised, no providers registered
WAFYes (Cloudflare Pro WAF + custom rules)No WAF
Path stripsNoYES — strips path prefix (e.g. /voice/webhook → handler sees partial path)
Twilio HMAC rollbackFull dual-URL verifier worksUNTESTED — dual-URL verifier handles CF path correctly but Funnel path-strip behavior breaks HMAC
GovernanceFull FUNNEL-REGISTRYSame registry; listed as fallback-only

Funnel governance rules

Per CLAUDE.md §MANDATORY: Webhook Endpoint Governance:

  1. Adding any new public endpoint via Funnel requires a FUNNEL-REGISTRY.md entry FIRST, with all 4 non-negotiable requirements: (a) IP filter or sig verify, (b) dedup via processed_webhook_events, (c) non-blocking webhook_audit_log write, (d) handler port in registry.
  2. Changing Funnel config requires Henry explicit approval per feedback_tailscale_serve_strict_approval.
  3. After any Funnel change: run node workspace/scripts/security-audit-funnel.js --dry-run and verify clean.
  4. New public endpoints MUST NOT use Tailscale Funnel unless Cloudflare Tunnel is unavailable. Funnel is fallback, not a primary path.

Path-strip caveat for rollback

If the Cloudflare Tunnel goes down and providers are switched to the Tailscale Funnel URL, the Twilio HMAC signature verifier will need to handle the path-strip behavior. The current dual-URL verifier (workspace/webhooks/twilio-voice-handler.js) handles the CF canonical path correctly — Funnel rollback for Twilio is untested. Test this before the next incident.

Role 2: Private mesh — VPS to EC2 Mac Ultra SSH

Tailscale MagicDNS provides stable, VPN-encrypted hostname resolution for all tailnet nodes. This is essential for the VPS→Mac Ultra SSH pattern that all InvestorLift scraping depends on.

Network topology

Tailnet: tailb025a7

Nodes:
  srv1347501.tailb025a7.ts.net   — Hetzner VPS (production)     IP: varies
  openclaw-mac-ultra              — EC2 Mac Ultra (arm64)         IP: 100.123.248.46
  auroras-mac-mini                — Home Mac mini (BlueBubbles)   IP: 100.93.7.6
  (personal devices if enrolled)

VPS → Mac Ultra SSH connection

# Mandatory pattern for InvestorLift scraping
ssh -i ~/.ssh/openclaw-mac.pem ec2-user@100.123.248.46 "<command>"
 
# MagicDNS alternative (resolves even if IP changes)
ssh -i ~/.ssh/openclaw-mac.pem ec2-user@openclaw-mac-ultra "<command>"
 
# Verify connectivity first
tailscale status | grep openclaw-mac-ultra
ssh -i ~/.ssh/openclaw-mac.pem ec2-user@100.123.248.46 "uptime"

SSH key: ~/.ssh/openclaw-mac.pem — AWS-only; not used for other Mac hosts.

Mac mini (BlueBubbles) — iMessage relay

The auroras-mac-mini (IP 100.93.7.6) hosts BlueBubbles for iMessage relay. It is the source of /imessage handler traffic, which is routed exclusively via Tailscale (never via public Cloudflare Tunnel).

auroras-mac-mini:18802  →  VPS Tailscale IP:18802  →  imessage-handler.js

IMPORTANT: Use MagicDNS hostname auroras-mac-mini, not the raw Tailscale IP — the IP rotated 2026-04-27 after a power cycle. See FUNNEL-REGISTRY §Internal Tailscale-Only Handlers.

Role 3: Tailscale daemon on EC2 Mac Ultra

A system-level LaunchDaemon is installed on openclaw-mac-ultra to ensure Tailscale persists across reboots without requiring a logged-in user session. This is critical — without it, Mac reboots break all VPS→Mac SSH connections and halt InvestorLift scraping.

PropertyValue
LaunchDaemoncom.openclaw.tailscaled
HostEC2 Mac Ultra (openclaw-mac-ultra, 100.123.248.46)
Plist path/Library/LaunchDaemons/com.openclaw.tailscaled.plist
Binary/opt/homebrew/bin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/var/run/tailscaled.socket
Log files/var/log/tailscaled.log, /var/log/tailscaled.err.log
PurposeSystem-level persistence; no user session required

After any Mac reboot (e.g., recovering from impaired state), verify Tailscale before IL work:

tailscale status | grep openclaw-mac-ultra
# Expected: openclaw-mac-ultra  100.123.248.46  ...  active

If the daemon is not running on the Mac:

ssh -i ~/.ssh/openclaw-mac.pem ec2-user@100.123.248.46 \
  "sudo launchctl load /Library/LaunchDaemons/com.openclaw.tailscaled.plist"

Plan reference: openclaw-obsidian-vault-2026-05-02 §Phase 6.1.2

Components

  • workspace/FUNNEL-REGISTRY.md — canonical registry for all public + Tailscale-only endpoints
  • workspace/scripts/security-audit-funnel.js — weekly Funnel/Tunnel/registry drift audit
  • ~/.ssh/openclaw-mac.pem — SSH key for EC2 Mac Ultra via Tailscale IP
  • /Library/LaunchDaemons/com.openclaw.tailscaled.plist (on Mac Ultra) — system-level Tailscale daemon
  • webhooks/imessage-handler.js — BlueBubbles handler (Tailscale-only source: auroras-mac-mini)
  • security-audit-funnel.timer — systemd timer (Mon 06:00 LA) for weekly audit

How it’s used

  • Trigger (Funnel): Cloudflare Tunnel failure or intentional rollback — providers switched to srv1347501.tailb025a7.ts.net URLs
  • Trigger (SSH/MagicDNS): Any InvestorLift scraping task, IL cookie refresh, or Mac-specific operation
  • Trigger (iMessage): BlueBubbles posts to auroras-mac-mini → VPS:18802/imessage over Tailscale
  • Flow (IL scraping): VPS script → SSH via Tailscale → Mac curl with IL cookies → parse HTML → S3 URLs → download on VPS
  • Agents involved: _summary (infra oversight), _summary (IL data), _summary (iMessage via BlueBubbles)
  • Failure mode: Tailscale daemon on Mac goes down → SSH fails → IL scraping blocked. Recovery: reboot Mac (AWS Console) → wait for LaunchDaemon to start tailscaled → verify with tailscale status.
  • Success criteria: tailscale status | grep openclaw-mac-ultra shows active; ssh -i ~/.ssh/openclaw-mac.pem ec2-user@100.123.248.46 "uptime" returns; Funnel health check node workspace/scripts/security-audit-funnel.js --dry-run exits clean.

Agents that touch this

  • _summary — infrastructure oversight; Tailscale node health
  • _summary — iMessage relay via auroras-mac-mini → Tailscale → VPS
  • _summary — IL deal ingestion via Mac SSH

Skills that invoke this

Plans that govern this

Feedback rules

KB / source docs

  • SOURCE MISSING: workspace/knowledge-base/tailscale/ — no KB directory; authored from CLAUDE.md + FUNNEL-REGISTRY.md only. Tailscale docs: https://tailscale.com/kb
  • API — Cloudflare Tunnel comparison reference
  • FUNNEL-REGISTRY — authoritative endpoint registry (Tailscale Funnel section)

System maps

This hub is part of the Webhook/tunnel cluster. cloudflare is the cluster anchor:

  • cloudflareTunnel vs Funnel distinction: Cloudflare Tunnel = canonical, WAF-protected. Tailscale Funnel = unadvertised fallback, no WAF, path-strips. Never switch providers to Funnel without coordinating with the Cloudflare hub governance.
  • hubspot — inbound via CF Tunnel /webhook/hubspot
  • salesmsg — inbound via CF Tunnel /webhook/salesmessage
  • twilio — inbound via CF Tunnel /sms + /voice; Funnel rollback untested
  • openphone-quo — inbound via CF Tunnel /webhook/openphone

This hub is also part of the Infra/compute cluster:

  • hetzner — VPS host; srv1347501.tailb025a7.ts.net is the VPS Tailscale hostname
  • aws — EC2 Mac Ultra; openclaw-mac-ultra is the Mac’s Tailscale node; Tailscale LaunchDaemon installed here
  • 1passwordop://Aurora/tailscale/auth-key — node auth key; LiveKit creds (OSIL B10 ratified) also in Aurora vault

Open issues / TODOs

  • G-KB-SYNC-WITH-CLAUDEMD gap: tailscale not in CLAUDE.md §Platforms with KB docs. Create workspace/knowledge-base/tailscale/ stub + update CLAUDE.md.
  • Funnel → Twilio HMAC rollback untested: dual-URL verifier not tested against Funnel path-strip behavior. Test before next incident.
  • No automated Tailscale health check: tailscale status is not probed by any cron. If the Mac node goes offline, nothing alerts. Wire a 5-min health check to Discord ops.
  • Auth key rotation cadence unknown: NEEDS VERIFICATION — Tailscale auth keys can expire. Confirm key expiry policy and add rotation reminder.
  • Mac impaired (2026-05-02): When Mac is restored, verify com.openclaw.tailscaled LaunchDaemon auto-started. See aws §EC2 Mac Ultra — IMPAIRED.

Recent activity

  • 2026-05-03: hub created (W2-S8 sub-agent); SOURCE MISSING flagged for KB directory
  • 2026-05-02: com.openclaw.tailscaled LaunchDaemon installed on Mac Ultra (Plan §Phase 6.1.2)
  • 2026-04-21: Tailscale Funnel demoted to fallback-only; Cloudflare Tunnel became canonical (Phase 9)
  • 2026-04-21: FUNNEL-REGISTRY.md created; Tailscale Funnel section added as fallback registry

Graph View

Backlinks