Hetzner + Cloudflare Tunnel for OpenClaw: Hardened Reference Architecture for SetupClaw

Abstract: A production OpenClaw setup on Hetzner is safest when Cloudflare Tunnel is used as controlled ingress, not as a blanket exposure shortcut. This guide outlines a hardened reference architecture that SetupClaw can deliver and customers can actually operate: trust-zone route separation, explicit DNS design, layered auth, private fallback access, and rollback-first operations. Hetzner + Cloudflare Tunnel for OpenClaw: Hardened Reference Architecture for SetupClaw The biggest mistake in tunnel-based deployments is simple. Teams expose everything through one route because it looks convenient, then discover too late that they cannot explain what is public, what is protected, and how to roll back safely. A hardened SetupClaw pattern starts from the opposite direction. Keep high-privilege OpenClaw control paths private-first. Publish only the minimum routes needed for external workflows. Treat every route as a policy decision with an owner. This sounds stricter, but it makes operation