Encrypted Tunnels
Encrypted tunnels are outbound-only, encrypted network connections that replace traditional SSH and VPN access. The server connects outward, so no ports need to be open for incoming traffic.
What is encrypted tunnels?
An encrypted tunnel is a secure network connection where all data is encrypted end-to-end between two points. In the context of server infrastructure, encrypted tunnels replace traditional networking approaches (open ports, SSH access, VPN connections) with a model where the server initiates all connections outward, and no inbound ports need to be open.
Traditional server networking requires open ports. SSH needs port 22 open for remote management. Web applications need ports 80 and 443. Application-specific services open additional ports. Each open port is a potential attack vector that must be monitored, patched, and secured.
Outbound-only encrypted tunnels flip this model. The server establishes an encrypted connection outward to a trusted edge network. All traffic (management, application data, API calls) flows through this single encrypted channel. The server's firewall blocks all incoming connections on all ports. There is nothing listening, nothing to scan, and nothing to exploit.
Why it matters
For AI agents, encrypted tunnels solve two critical problems. First, they eliminate network-level attack surface. Security scanners cannot discover your agent because there are no open ports to find. Second, they encrypt all traffic between your agent and the services it connects to, preventing eavesdropping and man-in-the-middle attacks.
Most self-hosted AI agents expose at least two ports: SSH for management and the agent gateway for communication. These ports are discoverable by automated scanners within hours of deployment. Encrypted tunnels make this entire category of attack impossible by removing the entry points entirely.
How ClawTrust handles this
Every ClawTrust agent server establishes an outbound-only encrypted tunnel to our edge network during provisioning. The server's firewall is configured to deny all inbound connections. The OpenClaw gateway binds to the local interface only. All communication between your agent and the outside world (messaging channels, API calls, dashboard access) flows through this encrypted tunnel. The edge network handles DDoS protection, SSL termination, and traffic routing. Your agent gets a dedicated hostname for access through the tunnel, with zero ports exposed to the public internet.
Related terms
Zero Trust Hosting
Zero trust hosting is a security model where every server has zero open inbound ports, uses outbound-only encrypted networking, and requires verification for every connection.
Credential Vault
A credential vault is an encrypted storage system that keeps API keys, passwords, and tokens separate from the agent server. The agent never directly handles your credentials.
Managed AI Hosting
Managed AI hosting is a fully managed service where the provider handles all server provisioning, security hardening, monitoring, and maintenance for your AI agent. You focus on using the agent, not running it.
Frequently asked questions
How does an outbound-only tunnel work?
The server initiates a connection outward to a trusted edge network. Once established, the tunnel carries traffic in both directions, but the key point is that the server does not need any open ports for incoming connections. The connection starts from inside the server, not from outside.
Is this the same as a VPN?
Similar concept, different implementation. Traditional VPNs still require an open port for the initial connection. Outbound-only tunnels require zero open ports on the server. The server connects outward to the tunnel service, which handles all routing and authentication at the edge.
Does this add latency to my agent's responses?
The additional latency is negligible, typically a few milliseconds. The tunnel connects to the nearest edge location, and the encryption and routing overhead is minimal compared to the AI model response time, which is the primary factor in agent response speed.
What if the tunnel connection drops?
The tunnel client on the server automatically reconnects. ClawTrust's health monitoring detects tunnel disruptions and can automatically restart the tunnel service. During brief disconnections, your agent queues outgoing messages and delivers them once the tunnel is re-established.
Can someone intercept the tunnel traffic?
No. The tunnel uses strong end-to-end encryption. Even if someone could intercept the network packets, they would see only encrypted data. The encryption keys are unique to your server and are never shared.
Explore further
See it in action
ClawTrust implements encrypted tunnels automatically. Your agent is live in under 5 minutes.