OpenClaw Cloudflare Tunnel Production Setup on Hetzner: DNS, Origin Certs, and Safe Rollback

Abstract: Cloudflare Tunnel can make OpenClaw safer in production, but only if you treat it as a controlled ingress layer rather than a shortcut to expose everything. This guide explains a practical SetupClaw pattern for Hetzner: route separation by trust level, explicit DNS design, origin trust handling, fail-closed defaults, and rollback-first operations. The aim is a setup that is secure to run and predictable to recover. OpenClaw Cloudflare Tunnel Production Setup on Hetzner: DNS, Origin Certs, and Safe Rollback Most tunnel incidents are not caused by Cloudflare being unreliable. They come from unclear boundaries. Teams publish one broad route, mix privileged UI access with webhook-like ingress, and then struggle to explain what is exposed and why. A production SetupClaw approach starts from the opposite assumption. Keep the OpenClaw control plane private-first. Expose only what must be exposed. Document every route as an operational decision, not a convenience setting. That sounds