diff --git a/docker-compose.yml b/docker-compose.yml
index 9951258..49dacd2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -29,13 +29,9 @@ services:
       - dokploy-network
     command:
       [
-        "node",
-        "dist/index.js",
-        "gateway",
-        "--bind",
-        "${OPENCLAW_GATEWAY_BIND:-loopback}",
-        "--port",
-        "18789",
+        "/bin/sh",
+        "-c",
+        "/home/node/.local/bin/tailscale-start.sh && node dist/index.js gateway --bind ${OPENCLAW_GATEWAY_BIND:-loopback} --port 18789",
       ]
     # healthcheck:
     #   test: ["CMD", "healthcheck.sh"]
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 849bb9b..c33240c 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -33,6 +33,19 @@ RUN GOG_VERSION=$(curl -s https://api.github.com/repos/steipete/gogcli/releases/
 # Install Tailscale
 RUN curl -fsSL https://tailscale.com/install.sh | HEADLESS=true sh
 
+# Create tailscale directories
+RUN mkdir -p /var/run/tailscale /home/node/.local/share/tailscale /home/node/.local/share/tailscale/files /home/node/.local/bin && \
+    chmod 777 /var/run/tailscale && \
+    chown -R node:node /home/node/.local
+
+# Create tailscale startup script (runs as node user)
+RUN echo '#!/bin/sh' > /home/node/.local/bin/tailscale-start.sh && \
+    echo 'mkdir -p /var/run/tailscale /home/node/.local/share/tailscale /home/node/.local/share/tailscale/files' >> /home/node/.local/bin/tailscale-start.sh && \
+    echo 'tailscaled --socket=/tmp/tailscale.sock --tun=userspace-networking &' >> /home/node/.local/bin/tailscale-start.sh && \
+    echo 'sleep 3' >> /home/node/.local/bin/tailscale-start.sh && \
+    echo 'tailscale --socket=/tmp/tailscale.sock up --authkey=$TAILSCALE_AUTH_KEY' >> /home/node/.local/bin/tailscale-start.sh && \
+    chmod +x /home/node/.local/bin/tailscale-start.sh
+
 # Copy custom tools into the image
 COPY tools/* /usr/local/bin/
 COPY bin/* /usr/local/bin/