Install
openclaw skills install telnyx-networkSkill flagged — review recommended
ClawHub Security found sensitive or high-impact capabilities. Review the scan results before using.
Telnyx Network
Private mesh networking and public IP exposure via Telnyx WireGuard infrastructure. Connect nodes securely or expose services to the internet.
Audits
SuspiciousTelnyx Network
Private mesh networking and public IP exposure via Telnyx WireGuard infrastructure.
Requirements
- Telnyx API Key — Get one free
- WireGuard installed on your machine
Agent Use (OpenClaw)
WireGuard requires elevated permissions to create network interfaces. For OpenClaw to manage your mesh autonomously, run this once:
sudo ./setup-sudoers.sh
This adds a sudoers rule allowing WireGuard commands without password prompts. After setup, your agent can:
# Agent can now do all of this without password prompts:
./setup.sh --region ashburn-va
./join.sh --name "my-node" --apply
./register.sh --name "my-node"
./teardown.sh
What it does:
- Adds
/etc/sudoers.d/wireguard-<username> - Only allows
wgandwg-quickcommands (not blanket sudo) - Can be removed anytime:
sudo rm /etc/sudoers.d/wireguard-*
Without this setup, the agent can still create networks and generate configs, but you'll need to manually run sudo wg-quick up <config> to connect.
Two Modes
Mesh Mode (Private)
Connect multiple machines in a private network. Like Tailscale, but on Telnyx infrastructure.
./setup.sh --region ashburn-va
./join.sh --name "laptop"
./join.sh --name "server" # run on server
# Now laptop and server can talk via 172.27.0.x
Cost: $10/month (WireGuard Gateway)
Expose Mode (Public)
Get a public IP and expose services to the internet.
./setup.sh --region ashburn-va
./join.sh --name "server" --apply
./add-public-ip.sh
./expose.sh 443
# Now https://64.16.x.x:443 reaches your server
Cost: $60/month (WireGuard Gateway + Internet Gateway)
Commands
| Command | Description |
|---|---|
sudo ./setup-sudoers.sh | Enable passwordless sudo for WireGuard (one-time, for agent use) |
./setup.sh --region <code> | Create network + WireGuard gateway |
./join.sh --name <name> | Add this machine to the mesh |
./peers.sh | List all connected peers |
./add-public-ip.sh | Add internet gateway (public IP) |
./expose.sh <port> | Open a port |
./unexpose.sh <port> | Close a port |
./status.sh | Show full status |
./teardown.sh | Delete everything |
./register.sh --name <name> | Register node in mesh registry |
./discover.sh | Discover other nodes on mesh |
./unregister.sh --name <name> | Remove node from registry |
Node Discovery
Nodes on the mesh can find each other using a registry stored in Telnyx Storage. This enables OpenClaw instances to automatically discover and communicate with each other.
Register This Node
After joining the mesh, register your node so others can find it:
./register.sh --name "home-server"
Discover Other Nodes
Find all registered nodes on the mesh:
./discover.sh
# Output:
# NAME IP HOSTNAME REGISTERED
# home-server 172.27.0.1 macbook.local 2026-01-31 ✅
# work-laptop 172.27.0.2 thinkpad 2026-01-31 ✅
# JSON output for scripts
./discover.sh --json
Unregister
Remove a node from the registry:
./unregister.sh --name "old-server"
Use Case: Multi-OpenClaw Communication
# On OpenClaw A
./join.sh --name "openclaw-a" --apply
./register.sh --name "openclaw-a"
# On OpenClaw B
./join.sh --name "openclaw-b" --apply
./register.sh --name "openclaw-b"
# Either can now discover the other
./discover.sh
# → Shows both openclaw-a and openclaw-b with their mesh IPs
# Direct communication works via mesh IPs
curl http://172.27.0.2:18789/health # OpenClaw B's gateway
This completes the "host-to-local node sessions" and "direct comms between OpenClaws" use cases.
Regions
| Region | Code | Location |
|---|---|---|
| US East | ashburn-va | Ashburn, VA |
| US Central | chicago-il | Chicago, IL |
| EU | frankfurt-de | Frankfurt, DE |
| EU | amsterdam-nl | Amsterdam, NL |
Get full list:
./setup.sh --region help
Safety
Blocked Ports (need --force)
- 22 (SSH)
- 23 (Telnet)
- 3306 (MySQL)
- 5432 (PostgreSQL)
- 6379 (Redis)
- 27017 (MongoDB)
Firewall
Only explicitly exposed ports accept traffic on the WireGuard interface. All other ports are blocked by default.
Configuration
All state is stored in config.json:
{
"network_id": "...",
"region": "ashburn-va",
"wireguard_gateway": {
"id": "...",
"endpoint": "64.16.x.x:5107",
"subnet": "172.27.0.1/24"
},
"internet_gateway": {
"id": "...",
"public_ip": "64.16.x.x"
},
"peers": [...],
"exposed_ports": [443, 80]
}
Use Cases
1. Connect OpenClaw Instances
# On main server
./setup.sh --region ashburn-va
./join.sh --name "openclaw-main" --apply
# On secondary server
./join.sh --name "openclaw-backup" --apply
# Now they can communicate securely
2. Expose Webhook Endpoint
./add-public-ip.sh
./expose.sh 443
# Configure your webhook URL as https://64.16.x.x/webhook
3. Multi-Region Mesh
./setup.sh --region ashburn-va
./join.sh --name "us-east-server"
# Same network, different region gateway
./setup.sh --region frankfurt-de --name same-network
./join.sh --name "eu-server"
Pricing
| Component | Monthly Cost |
|---|---|
| WireGuard Gateway | $10 |
| Internet Gateway | $50 |
| Peers | Free |
| Traffic | Free (beta) |
Troubleshooting
"Gateway still provisioning"
Wait 5-10 minutes after setup for the gateway to be ready.
"Connection refused"
- Check WireGuard is running:
sudo wg show - Check port is exposed:
./status.sh - Check firewall:
sudo iptables -L -n
"Permission denied"
WireGuard requires root. Run with sudo or use --apply flag.
License
MIT