Access guide

Note: This guide uses the default PicoCluster Claw configuration. If you changed hostnames, IP addresses, usernames, or tokens via configure-pair.sh or your own setup, substitute your values throughout. Defaults: hostnames clusterclaw/clustercrush, IPs 10.1.10.220/10.1.10.221, user picocluster, token picocluster-token.

Quick Reference

Interface	HTTP (LAN)	HTTPS (tunnel)	Notes
PicoCluster Claw Portal	`http://clusterclaw`	—	Landing page with status + docs
ThreadWeaver	—	`https://localhost:5174`	Chat UI — requires SSH tunnel
OpenClaw Dashboard	—	`https://localhost:18790`	Requires SSH tunnel + HTTPS
OpenClaw TUI	`ssh picocluster@clusterclaw` then `openclaw tui`	—	Terminal chat
Ollama API	`http://clustercrush:11434/v1`	—	OpenAI-compatible (clusterclaw only)

Why OpenClaw Requires HTTPS

OpenClaw’s Control UI uses the Web Crypto API for device identity, which browsers only allow in a “secure context” — either HTTPS or localhost. Accessing the dashboard over plain HTTP from another machine on your LAN will show:

“control ui requires device identity (use HTTPS or localhost secure context)”

This is a security feature, not a bug.

Access Methods

Method 1: SSH Tunnel (Recommended)

The simplest approach. Creates an encrypted tunnel from your computer to clusterclaw, making the services appear as localhost.

One command to access everything:

ssh -L 18790:localhost:18790 -L 5174:localhost:5174 picocluster@clusterclaw

Then open in your browser:

OpenClaw Dashboard: https://localhost:18790
ThreadWeaver (HTTPS): https://localhost:5174

You’ll see a self-signed certificate warning on first visit — accept it (the cert is generated by Caddy running on clusterclaw).

Tip: Add this to your ~/.ssh/config for easy access:

Host clusterclaw
    HostName 10.1.10.220
    User picocluster
    LocalForward 18790 localhost:18790
    LocalForward 5174 localhost:5174

Then just ssh clusterclaw and the tunnels are set up automatically.

Method 2: OpenClaw CLI from the host

OpenClaw’s CLI is installed on clusterclaw and can be used without a browser:

ssh picocluster@clusterclaw
openclaw agent --agent main --message "Hello"

All of OpenClaw’s raw HTTP endpoints are now bound to 127.0.0.1 only — so while curl http://localhost:18789/__openclaw__/health works from inside clusterclaw, LAN clients must go through the HTTPS tunnel.

Method 3: Tailscale (Remote Access)

For accessing PicoCluster Claw from outside your local network, Tailscale provides a WireGuard VPN with zero configuration.

Install Tailscale on clusterclaw:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Install Tailscale on your computer.
SSH-tunnel as usual, substituting the Tailscale IP for the LAN IP:
Terminal window
```
ssh -L 5174:localhost:5174 -L 18790:localhost:18790 picocluster@<clusterclaw-tailscale-ip>
```
Then open https://localhost:5174 (ThreadWeaver) or https://localhost:18790 (OpenClaw) in your browser. ThreadWeaver and OpenClaw raw HTTP ports are not exposed on Tailscale either — use the tunnel.

Method 4: OpenClaw TUI (Terminal)

No browser needed — chat directly from the terminal:

ssh picocluster@clusterclaw
openclaw tui

Method 5: OpenClaw Mobile (Telegram/Discord)

Configure a messaging channel for mobile access to your agent:

Telegram (recommended — free, easy setup):

Create a bot via @BotFather on Telegram
On clusterclaw: openclaw channels login telegram
Follow the prompts to connect your bot
Chat with your bot from any device

Discord:

Create a Discord bot at https://discord.com/developers
On clusterclaw: openclaw channels login discord
Invite the bot to your server

Default Credentials

Service	Credential	Value
SSH	Username / Password	`picocluster` / `picocluster`
OpenClaw	Gateway Token	`picocluster-token`
Ollama	Auth	None (firewall-restricted to clusterclaw)

Change the defaults after setup:

# Change SSH password
passwd

# Change OpenClaw token
openclaw config set gateway.auth.token "your-new-token"
sudo docker restart openclaw

Ports Reference

Port	Service	Node	Access
22	SSH	both	LAN
80	PicoCluster Claw Portal	clusterclaw	LAN
5173	ThreadWeaver UI	clusterclaw	127.0.0.1 only (via Caddy 5174)
5174	ThreadWeaver HTTPS	clusterclaw	Caddy, SNI=localhost (tunnel)
7777	LED API	clusterclaw	LAN
8000	ThreadWeaver API	clusterclaw	127.0.0.1 only (via Caddy 5174)
8888	Shutdown API	clusterclaw	LAN
11434	Ollama	clustercrush	clusterclaw only (firewall)
18789	OpenClaw Gateway	clusterclaw	127.0.0.1 only (via Caddy 18790)
18790	OpenClaw Dashboard	clusterclaw	Caddy, SNI=localhost (tunnel)
18791	OpenClaw Control	clusterclaw	blocked
18792	OpenClaw CDP	clusterclaw	blocked

Troubleshooting

”Secure Connection Failed” on OpenClaw

You’re accessing port 18789 with HTTPS, or port 18790 without a tunnel. Use:

ssh -L 18790:localhost:18790 picocluster@clusterclaw

Then: https://localhost:18790

”Secure Connection Failed” on ThreadWeaver

You’re trying to reach ThreadWeaver directly over HTTP at http://clusterclaw:5173 — that port is now bound to 127.0.0.1 only for security. Use the SSH tunnel plus https://localhost:5174 instead.

ThreadWeaver shows “No local models found”

Ollama on clustercrush may not be running or the firewall is blocking:

ssh picocluster@clustercrush
ollama list
sudo systemctl status ollama

OpenClaw “LLM request timed out”

The model may not be loaded yet. Ollama loads models on first request:

ssh picocluster@clustercrush
ollama list                  # Check available models
ollama run llama3.2:3b       # Test interactively

Can’t reach clusterclaw or clustercrush by hostname

Add to your computer’s /etc/hosts:

10.1.10.220  clusterclaw
10.1.10.221  clustercrush