Infrastructure & Mobile

Running OpenClaw on Android with Termux: SSH, Tailscale & Mobile AI

📅 February 20, 2026 ⏱ 12 min read ✍️ OptinAmpOut Team

Most AI agent deployments live on servers or laptops — always-on compute with predictable connectivity. We took a different approach. Our primary agent runs on an Android phone.

This isn't a gimmick. A phone is always-on, always-connected (cellular fallback when WiFi drops), available anywhere, and has access to capabilities no server has: messaging, location, camera, and native integrations with your personal device ecosystem. Here's how we set it up — and what it unlocks.

Phone vs Server: Capability Comparison
📱 Phone (Android + Termux) 🖥️ Traditional Server ✓ Always-on (cellular fallback) ✓ Always-on ✓ SMS / Messaging access ✗ No messaging hardware ✓ GPS / Location awareness ✗ No GPS ✓ Camera / Microphone ✗ No sensors ✓ Zero extra hardware cost ~ Monthly VPS/cloud cost ~ Less raw compute power ✓ More compute available ✓ Pocket-portable, travel-ready ✗ Fixed location

What You Need

⚠️ Install Termux from F-Droid only. The Play Store version hasn't been updated in years and is missing essential functionality. Get F-Droid at f-droid.org, then install Termux from there.

Step-by-Step Setup

1

Install Termux & Core Packages

After installing Termux from F-Droid, install the required runtime packages:

pkg update && pkg upgrade
pkg install nodejs git curl jq python openssh

Install OpenClaw globally via npm:

npm install -g openclaw

Grant Termux access to your phone's shared storage:

termux-setup-storage
2

Install Termux:API for Device Integration

Install the Termux:API app from F-Droid, then add the companion package inside Termux:

pkg install termux-api

In Android Settings, grant Termux:API the permissions it needs for your intended use case. Test it's working:

termux-battery-status
# Returns JSON: level, status, temperature, plugged
3

Configure OpenClaw

Initialize your config and set the critical security parameter first: bind the gateway to loopback only.

openclaw config init

Key config settings:

  • Gateway bind: loopback (never a public interface)
  • Telegram bot token — your messaging interface to the agent
  • Anthropic API key — store in a password manager, inject via env
  • Allowed sender IDs — your Telegram user ID only

Store all secrets in a password manager, not in config files:

# gopass — GPG-encrypted, git-backed secret storage
gopass insert [service]/[credential-name]
# Reference in config: ${SECRET_NAME}
4

Set Up Tailscale

Install Tailscale from the Play Store, sign in, and enable it. Your phone gets a stable private IP on your mesh network — reachable from your laptop and any other enrolled device, completely invisible to the internet.

Once Tailscale is running, you can update your gateway bind from loopback to tailnet to make the agent accessible from your other trusted devices.

Verify from your laptop:

# From laptop, via Tailscale mesh
curl http://[phone-tailscale-ip]:[gateway-port]/health
5

Reverse SSH Tunnel (Recommended)

If you need external services (webhooks, automation tools) to reach your phone gateway, set up a reverse SSH tunnel. The phone initiates the connection outbound — no inbound ports needed on the phone side.

# Phone tunnels a port on laptop back to its own gateway
ssh -R [laptop-port]:localhost:[gateway-port] your-laptop-tailscale-ip

For persistence — SSH connections drop; autossh reconnects automatically:

pkg install autossh
autossh -M 0 -R [laptop-port]:localhost:[gateway-port] your-laptop

Now laptop:[laptop-port] → your phone's agent gateway. Webhooks, n8n, and other services on the laptop can reach your agent without the phone ever having a public port.

6

Auto-Start on Reboot with Termux:Boot

Install the Termux:Boot app from F-Droid. Any scripts in ~/.termux/boot/ run automatically when the phone reboots. Create your startup script:

mkdir -p ~/.termux/boot
cat > ~/.termux/boot/start.sh << 'EOF'
#!/data/data/com.termux/files/usr/bin/bash
# Prevent Android from killing Termux
termux-wake-lock
# Start Tailscale
# (Tailscale Android app handles its own startup)
# Start SSH tunnel to laptop
autossh -M 0 -f -N \
  -R [laptop-port]:localhost:[gateway-port] \
  your-laptop
# Start OpenClaw
openclaw start
EOF
chmod +x ~/.termux/boot/start.sh

The key line is termux-wake-lock — without it, Android will eventually kill Termux to save battery.

Complete Mobile Agent Architecture
📱 PHONE OpenClaw Gateway Termux + Termux:API Tailscale connected autossh tunnel TAILSCALE Encrypted mesh No public exposure 💻 LAPTOP SSH server Dev tools + services Tailscale connected Tunnel endpoint reverse SSH tunnel (persistent) 💬 Telegram Phone agent accessible everywhere — no public ports, fully encrypted

What This Unlocks

Once running, your AI agent has access to capabilities genuinely unavailable on any cloud server:

💬

SMS Integration

Read incoming texts, send replies, monitor important contacts — all via Termux:API.

📍

Location Awareness

GPS coordinates with accuracy data. Location-aware reminders and context.

📸

Camera Access

Capture photos on demand. Document scanning, visual inspection, QR codes.

👥

Contacts

Look up contacts by name, resolve numbers — useful for SMS and CRM workflows.

🔋

Device Telemetry

Battery level, charging status, temperature. Monitor device health automatically.

📞

Call Log

Review recent calls, missed calls, and call duration patterns.

Auto-Start Sequence on Phone Reboot
Phone Boots Android starts Termux:Boot Runs boot scripts Wake Lock Prevent sleep Tunnel + Agent autossh + openclaw ✓ Live ~30s from boot Fully automated — agent is reachable within ~30 seconds of phone reboot, no manual steps

Keeping It Running

Battery Optimization

Android aggressively kills background processes to save battery. You need to explicitly exempt both Termux and Termux:API:

Tunnel Persistence

Raw SSH connections drop — on cellular, on network switches, on any hiccup. autossh monitors the tunnel and reconnects automatically with exponential backoff. Never use plain ssh for a tunnel you need to stay up.

Monitoring Uptime

Configure a heartbeat cron job inside the agent: a regular check-in that confirms the agent is alive. If two consecutive heartbeats are missed, trigger an alert. An agent that silently dies and misses tasks is worse than one that fails loudly.

Heartbeat Monitoring — Catching Outages Early
:00 :15 :30 :45 Missed → Alert 🚨 Alert 1:00 Recovered 15-minute heartbeat intervals. One miss = investigate. Two misses = alert.

Troubleshooting

Termux gets killed by Android

Battery optimization is the culprit. Disable it for both Termux and Termux:API in Android Settings → Apps → [app] → Battery. On aggressive OEM skins (Xiaomi MIUI, Samsung One UI), there may be additional "background app" restrictions to disable separately.

SSH tunnel keeps dropping

Switch from plain ssh to autossh. Also add ServerAliveInterval 30 and ServerAliveCountMax 3 to your ~/.ssh/config — this makes the SSH client detect and report dead connections faster.

Termux:API stops working after Android update

Android sometimes resets app permissions after OS updates. Re-grant the permissions Termux:API needs in Android Settings → Apps → Termux:API → Permissions.

A phone-hosted AI agent isn't a compromise — it's a deliberate architectural choice that trades raw compute for portability and unique device capabilities. Once you've got an agent that can read your messages, know your location, and stay alive through network interruptions and phone reboots, you start building workflows that a server-bound agent simply can't replicate.

Related Posts

🏢
FREE

Enterprise AI Security Checklist

Deploying AI at scale? Start with this enterprise security checklist.
No spam. Unsubscribe anytime.