Claw Relay

v1.0.0

Route AI agent traffic through a residential IP using Tailscale exit nodes — no custom code, no proxies, just WireGuard.

⭐ 1· 329·0 current·0 all-time

byNick Locascio@nicholaslocascio

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the instructions: the SKILL.md explains how to advertise and use a Tailscale exit node from a residential machine and how to configure the VPS to use it. Required binary (tailscale) is appropriate and proportional.

ℹ

Instruction Scope

Instructions remain within the stated purpose (install Tailscale, advertise/accept exit node, set --exit-node). They instruct the user to run system installer commands and use the Tailscale admin console, which is expected. Minor note: the doc suggests both 'transparent network routing' and an optional per-process proxy approach; that's not harmful but slightly contradictory in phrasing.

ℹ

Install Mechanism

The instructions recommend running the official Tailscale install script (curl -fsSL https://tailscale.com/install.sh | sh). This is a common, documented installation method for Tailscale; it is a remote install-and-execute pattern (higher-risk in general) but uses the vendor's canonical URL.

✓

Credentials

The skill requests no environment variables, no credentials, and no config paths. That is proportional for a networking/instructions-only skill.

✓

Persistence & Privilege

Skill is instruction-only, has no install-time artifacts, and does not request 'always: true' or system-wide persistent privileges. It does not request to modify other skills or system-wide agent settings.

Assessment

This skill is coherent and documents a standard way to route a VPS's traffic through a home IP using Tailscale exit nodes. Before using it, consider: (1) Security/privacy: traffic from your VPS will egress your home network — any malicious or misconfigured agent on the VPS could reach services on your LAN or consume your bandwidth. Only enable an exit node on machines you trust and monitor. (2) Availability: your laptop must stay online; if it sleeps or disconnects the VPS loses internet egress. (3) Provider/ToS: routing traffic this way may violate your cloud provider or ISP terms — check policies. (4) Installation safety: the install step uses a remote install script (official tailscale.com URL); if you prefer, review the script before running it or use platform package managers. (5) If you want to avoid using Tailscale's control plane, consider the documented Headscale option. Also note a minor metadata inconsistency: the registry metadata listed no homepage, but the SKILL.md includes a homepage URL (clawrelay.ai); this is not a functionality problem but worth verifying the skill's source before proceeding.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🏠 Clawdis

Binstailscale

latestvk97bgwkqdsb67mnk0gn4rwab9d81y98z

329downloads

1stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

claw-relay

You are helping a human set up claw-relay — a method for routing AI agent traffic through a residential IP address using Tailscale exit nodes. No custom relay, no daemon, no proxy software. Just Tailscale.

Architecture

There are two nodes connected by a Tailscale tunnel:

┌──────────────────────┐          ┌──────────────────────┐
│   CLOUD NODE         │          │   RESIDENTIAL NODE   │
│   (datacenter IP)    │          │   (home IP)          │
│                      │          │                      │
│   AI Agent           │          │   Tailscale          │
│     ↓                │          │   (exit node)        │
│   Tailscale ─────────┼── WG ───▶│     ↓                │
│   (use exit node)    │          │   Internet           │
│                      │          │   (exits from home)  │
└──────────────────────┘          └──────────────────────┘

Cloud node: A VPS running the AI agent. Tailscale routes its traffic through the exit node.
Residential node: The human's laptop running Tailscale as an exit node. Traffic exits from this IP.
Tailscale connects the two over an encrypted WireGuard tunnel. No custom code needed.

Which node are you setting up?

Ask the human which side they need to configure. They may need to do both, but walk through one at a time.

Residential Node Setup (human's laptop — do this first)

The human's laptop becomes a Tailscale exit node, allowing the VPS to route traffic through it.

Prerequisites

A Tailscale account (free at https://tailscale.com)

1. Install Tailscale

macOS:

brew install tailscale

Linux:

curl -fsSL https://tailscale.com/install.sh | sh

2. Enable as exit node

sudo tailscale up --advertise-exit-node

3. Approve the exit node

Go to the Tailscale admin console at https://login.tailscale.com/admin/machines — find the laptop and approve it as an exit node by clicking the three-dot menu → "Edit route settings" → enable "Use as exit node".

Alternatively, if you have --accept-routes on your policy, this happens automatically.

Test

tailscale status

The laptop should show as an exit node in the tailnet.

Cloud Node Setup (VPS)

This is the server running your AI agent. It joins the same tailnet and routes all traffic through the residential exit node.

Prerequisites

A VPS or cloud server (any provider — DigitalOcean, Hetzner, AWS, etc.)
The residential node must already be set up as an exit node

1. Install Tailscale

curl -fsSL https://tailscale.com/install.sh | sh

2. Join the tailnet and set exit node

Find the residential node's Tailscale hostname or IP:

tailscale status

Then set it as the exit node:

sudo tailscale up --exit-node=<laptop-hostname-or-ip>

Replace <laptop-hostname-or-ip> with the Tailscale IP (e.g., 100.64.x.x) or hostname of the laptop.

3. Verify

curl https://httpbin.org/ip

The response should show the residential IP (the laptop's public IP), not the VPS IP.

Agent Configuration

Once the exit node is set, all traffic from the VPS routes through the laptop automatically. No proxy configuration needed in your agent code — it's transparent at the network level.

Your agent code doesn't change at all:

import requests

r = requests.get("https://httpbin.org/ip")
print(r.json())  # Shows the residential IP

const res = await fetch("https://httpbin.org/ip");
console.log(await res.json()); // Shows the residential IP

curl https://httpbin.org/ip  # Shows the residential IP

Per-process control (optional)

If you want only specific processes to use the exit node instead of all VPS traffic, you can use Tailscale's --exit-node with app-specific routing or configure HTTPS_PROXY with a local proxy that routes through Tailscale.

Advanced: Isolation with Tailscale ACLs

For production setups, use Tailscale ACLs to control which machines can use which exit nodes:

{
  "tagOwners": {
    "tag:agent": ["autogroup:admin"],
    "tag:exitnode": ["autogroup:admin"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["tag:agent"],
      "dst": ["tag:exitnode:*"]
    }
  ]
}

Tag your VPS as tag:agent and your laptop as tag:exitnode to restrict access.

Advanced: Headscale (fully self-hosted)

If you want zero dependency on Tailscale's coordination server, use Headscale — an open-source, self-hosted implementation of the Tailscale control server.

Deploy Headscale on a server you control
Point both nodes to your Headscale instance instead of Tailscale's servers
Everything else works the same — WireGuard tunnels, exit nodes, ACLs

This gives you a fully self-hosted solution with no third-party dependencies.

Troubleshooting

Exit node not showing: Make sure you approved it in the admin console
VPS still shows datacenter IP: Run tailscale status to verify the exit node is connected, then sudo tailscale up --exit-node=<laptop> again
Connection drops: Check that the laptop has internet access and Tailscale is running
Laptop went to sleep: Tailscale reconnects automatically when the laptop wakes up, but the VPS will lose internet access while the laptop is offline

Comments

Loading comments...