17. HowTo : How to use Mac‐air access remote OpenClaw chat & WebUI
This HOWTO guide provides a comprehensive walkthrough for deploying a private, secure, and globally accessible AI workspace by combining OpenClaw with ZTM (Zero Trust Mesh).
By integrating OpenClaw’s streamlined Chat interface with ZTM’s decentralized networking capabilities, you can establish a self-hosted AI hub that bypasses the limitations of traditional cloud providers and complex VPNs.
- Ultimate Privacy Control: Host your own Chat UI and manage your data locally, ensuring no third-party logs your interactions.
- Seamless Remote Access: Leverage ZTM Tunnel to securely expose your OpenClaw WebUI to the internet without needing a public IP address or configuring risky port forwarding.
- Zero Trust Security: Benefit from a "never trust, always verify" architecture where traffic is end-to-end encrypted and accessible only by authorized identities within your mesh.
- Lightweight & Performant: Both tools are designed for efficiency, making them ideal for everything from home labs to enterprise edge environments.
- Install OpenClaw on Ubuntu Linux (x86_64) follow instructions: https://openclaw.ai
ubuntu@ubuntu:~$ curl -fsSL https://openclaw.ai/install.sh | bash
- Install ztm on Ubuntu Linux :
root@ubuntu:~# wget https://github.com/flomesh-io/ztm/releases/download/v2.0.0/ztm-aio-v2.0.0-generic_linux-x86_64.tar.gz
ztm-aio-v2.0.0-generic_linux-x86_64.ta 100%[============================================================================>] 11.52M 52.5KB/s Times 3m 23s
2026-02-14 09:29:39 (58.1 KB/s) - Save to ‘ztm-aio-v2.0.0-generic_linux-x86_64.tar.gz’ [12079039/12079039])
root@ubuntu:~# tar xzvf ztm-aio-v2.0.0-generic_linux-x86_64.tar.gz
bin/ztm
root@ubuntu:~# cp bin/ztm /usr/local/bin/
root@ubuntu:~# which ztm
/usr/local/bin/ztm
root@ubuntu:~# ztm version
ZTM:
Edition: Community
Tag : v2.0.0
Commit : d34b3bf0bc34b27fb68d028476f5d192caca13e1
Date : Fri, 13 Feb 2026 09:41:21 +0800
Pipy:
Tag : 2.0.0-alpha.4
Commit : f57b471a635cc02caaa9676fe73201cb3dc60c91
Date : Tue, 6 Jan 2026 21:33:02 +0800
Join trial hub (You can also run your own hub, detail steps in another wiki page):
root@ubuntu:~# ztm start agent
root@ubuntu:~# ztm try openclaw --mesh-name ztm-trial --user-name caiair --ep-name home-ubuntu --pass-key 123321
Create tunnel for OpenClaw WebUI (port 18789):
root@ubuntu:~# ztm tunnel open outbound tcp/caiair-ubuntu-openclaw --targets 127.0.0.1:18789
- Install ztm on Mac-Air:
demo@demo-macair ~% brew install flomesh-io/ztm/ztm
demo@demo-macair ~% ztm version
ZTM:
Edition: undefined
Tag : undefined
Commit : d34b3bf0bc34b27fb68d028476f5d192caca13e1
Date : Fri, 13 Feb 2026 09:41:21 +0800
Pipy:
Tag : 2.0.0-alpha.4
Commit : f57b471a635cc02caaa9676fe73201cb3dc60c91
Date : Tue, 6 Jan 2026 21:33:02 +0800
Join trial hub (Pay attention to the --user-name and --pass-key here are the same as username on ubuntu, but --ep-name is different ):
demo@demo-macair ~% ztm start agent
demo@demo-macair ~% ztm try openclaw --mesh-name ztm-trial --user-name caiair --ep-name mac-air --pass-key 123321
Mapping tunnel from Ubuntu to Mac-Air (local port 28789, choose a local port which not listened by any other process):
$ ztm tunnel open inbound <inbound name> --listen <local port>
E.g.:
demo@demo-macair ~% ztm tunnel open inbound tcp/caiair-ubuntu-openclaw --listen 127.0.0.1:28789
-
Access OpenClaw WebUI in Mac-Air browser: http://localhost:28789/#[your-openclaw-token]
-
Setup & Config ztm-chat
Install OpenClaw ztm-chat channel plugin on Ubuntu:
5.1 Get plugin source code :
ubuntu@ubuntu:~$ git clone https://github.com/flomesh-io/ztm.git
5.2 Run npm install in extensions/ztm-chat directory:
ubuntu@ubuntu:~/ztm$ cd extensions/ztm-chat/
ubuntu@ubuntu:~/ztm/extensions/ztm-chat$ npm install
npm warn deprecated tar@6.2.1: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm warn deprecated npmlog@6.0.2: This package is no longer supported.
npm warn deprecated node-domexception@1.0.0: Use your platform's native DOMException instead
npm warn deprecated gauge@4.0.4: This package is no longer supported.
npm warn deprecated are-we-there-yet@3.0.1: This package is no longer supported.
npm warn deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
added 734 packages, and audited 735 packages in 2m
145 packages are looking for funding
run `npm fund` for details
4 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
npm notice
npm notice New major version of npm available! 10.9.4 -> 11.10.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.10.0
npm notice To update run: npm install -g npm@11.10.0
npm notice
5.3 openclaw plugins install:
ubuntu@ubuntu:~/ztm/extensions/ztm-chat$ openclaw plugins install -l .
🦞 OpenClaw 2026.2.12 (f9e444d) — Less clicking, more shipping, fewer "where did that file go" moments.
Linked plugin path: ~/ztm/extensions/ztm-chat
Restart the gateway to load plugins.
5.4 Restart openclaw gateway:
openclaw gateway restart
5.5 Config ztm-chat plugin with ztm-chat-wizard:
ubuntu@ubuntu:~/ztm/extensions/ztm-chat$ openclaw ztm-chat-wizard
🦞 OpenClaw 2026.2.12 (f9e444d) — The UNIX philosophy meets your DMs.
🤖 ZTM Chat Setup Wizard
========================================
Step 1: ZTM Agent URL (Required)
ZTM Agent URL [http://localhost:7777]:
✓ URL validated: http://localhost:7777
Step 2: Permit Server URL (Required)
Permit Server URL [https://ztm-portal.flomesh.io:7779/permit]:
✓ URL validated: https://ztm-portal.flomesh.io:7779/permit
Step 2: Bot Username (Required)
Bot username [openclaw-bot]: caiair-ubuntu-clawbot
✓ Bot username configured: caiair-ubuntu-clawbot
Step 4: Security Settings
Direct Message Policy
[1] Require explicit pairing (approval needed)
[2] Allow messages from all users
[3] Deny messages from all users
[0] Cancel
Select [1]: 1
✓ DM Policy set to: pairing
Allow messages from (comma-separated usernames, * for all users) [*]: caiair
Configuration Summary
Agent URL: http://localhost:7777
Permit Server URL: https://ztm-portal.flomesh.io:7779/permit
Username: caiair-ubuntu-clawbot
Message Path: /shared
Auto Reply: true
DM Policy: pairing
Allow From: caiair
Save this configuration? (Y/n): [y]: y
Save to file [/home/caishu/.openclaw/ztm/config.json]:
✓ Configuration saved to /home/caishu/.openclaw/ztm/config.json
Pairing Mode Enabled
⚠ Your bot is in pairing mode.
ℹ To allow users to message you:
1. Users send a message to your bot
ℹ 2. The bot will send them a pairing request
3. Approve them: openclaw pairing approve ztm-chat <code>
ℹ 4. After approval, their messages will be accepted
✅ Configuration complete!
📁 Saved to: /home/caishu/.openclaw/ztm/config.json
Next steps:
1. Restart OpenClaw: openclaw gateway restart
2. Check status: openclaw channels status
5.5 Check ztm-chat bot online status is OK
ubuntu@ubuntu:~$ ztm get mesh
NAME JOINED AS USER HUBS STATUS
ztm-trial home-ubuntu caiair 35.72.1.189:8888 Connected
openclaw-mesh caiair-ubuntu-clawbot-ep caiair-ubuntu-clawbot 35.72.1.189:8888 Connected
ubuntu@ubuntu:~$ ztm mesh openclaw-mesh get ep
NAME USER IP PORT STATUS PING ID EDITION VERSION LABELS
caiair caiair 42.84.35.120 52073 Online 75ms 092146fe-b9c3-4aa3-9950-22f5d83f1c70 n/a n/a
caiair-ubuntu-clawbot-ep (local) caiair-ubuntu-clawbot 42.84.35.120 60510 Online n/a 9e0dcc87-8d0d-4811-a5a5-074f1e4cbd98 Community v2.0.0
Here you can see both caiair and caiair-ubuntu-clawbot-ep status is Online.
5.6 Send chat invitation on Mac-Air ztm-chat
On Mac-Air, open http://localhost:7777/#/mesh/chat in browser. Click on the right up corner plus sign, and select the openclaw chat bot just created on step #5.5, then start chat. For this demo, the openclaw chatbot I just created is caiair-ubuntu-clawbot.
In the chat window, type hello, my clawbot.
5.7 On ubuntu, list paring request and approve it
ubuntu@ubuntu:~/.openclaw$ openclaw pairing list ztm-chat
🦞 OpenClaw 2026.2.12 (f9e444d) — Valentine's Day: Roses are typed, violets are piped—I'll automate the chores so you can spend time with humans.
Pairing requests (1)
┌──────────┬───────────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────────────┬──────────────────────────┐
│ Code │ username │ Meta │ Requested │
├──────────┼───────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────┼──────────────────────────┤
│ CTBD3MJN │ caiair │ {"name":"caiair"} │ 2026-02-14T15:04:23.139Z │
└──────────┴───────────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────────────┴──────────────────────────┘
ubuntu@ubuntu:~/.openclaw$ openclaw pairing approve ztm-chat CTBD3MJN
🦞 OpenClaw 2026.2.12 (f9e444d) — Because Siri wasn't answering at 3AM.
Approved ztm-chat sender caiair.
5.8 On Mac-Air ztm-chat window chat with your bot, cheers~
By integrating OpenClaw with ZTM, you have successfully built a self-hosted AI environment that strikes a perfect balance between sovereignty and accessibility. This architecture transforms a local service into a globally available resource without the inherent risks of traditional port forwarding or the privacy trade-offs of centralized platforms.
Through the ZTM Tunnel, your OpenClaw WebUI is now shielded by a zero-trust perimeter, ensuring that your private conversations remain truly private. Whether you are at home or on the move, you now have a secure, encrypted gateway to your personal AI hub. This setup not only maximizes your data security but also provides the flexibility to scale and manage your AI interactions on your own terms.