[Feature]: Add gateway.trustedNetworks to allow ws:// over encrypted mesh networks (WireGuard/VPNs)

[amir0ff]

Summary

OpenClaw v2026.2.19 introduced a security check that blocks WebSocket connections (ws://) to non-loopback IP addresses. While this improves security for public networks, it inadvertently breaks existing secure deployments that use encrypted mesh networks (WireGuard, VPNs) where the underlying transport is already encrypted at the network layer.

Problem to solve

Current Behavior:

• Node (v2026.2.19) refuses to connect to ws://10.10.152.1:18789 over WireGuard
• Error: SECURITY ERROR: Cannot connect to '10.10.152.1' over plaintext ws://. Both credentials and chat data would be exposed to network interception.
• Forces upgrade to wss:// which requires:
• Opening port 443 to the internet (security regression)
• Setting up SSL certificates + reverse proxy (operational complexity)
• Or SSH tunnels (fragile, requires key management)

Root Issue:

The security check only verifies URL scheme (ws:// vs wss://) and IP address (loopback vs non-loopback). It does not consider whether the underlying network is already encrypted (WireGuard, VPN, Tailscale) or protected by firewall rules.

Environment:

• OpenClaw Version: 2026.2.19-2 (both gateway and node)
• OS: Ubuntu 24.04 LTS
• Network: WireGuard mesh (10.10.152.0/24) - encrypted at layer 3
• Firewall: UFW blocks port 18789 on public interface

Proposed solution

Add gateway.trustedNetworks configuration option:

{
  gateway: {
    bind: "lan",
    trustedNetworks: ["10.10.152.0/24", "100.64.0.0/10"],  // WireGuard, Tailscale
  }
}

Alternatives considered

1. WSS with Let's Encrypt
   • Requires opening port 443 publicly
   • Exposes service to internet (less secure than WireGuard-only)
   • Adds certificate management overhead
2. SSH Tunnel
   • Works but adds complexity and fragility
   • Requires SSH key management
   • Connection drops need manual recovery
3. Self-signed Certificates
   • Complex certificate management
   • Trust store issues on nodes
   • Certificate renewal overhead

None of these alternatives preserve the simplicity and security of the original WireGuard setup.

Impact

• ✅ Skip ws:// security check for IPs in trusted subnets
• ✅ Maintain security for untrusted networks (default behavior unchanged)
• ✅ Preserve existing encrypted mesh network setups
• ✅ No need to open ports or manage certificates

Security Comparison:

Approach	Encryption	Port Exposure	Complexity
ws:// over WireGuard	✅ WireGuard	❌ None	✅ Low
wss:// with Let's Encrypt	✅ TLS	⚠️ Port 443 public	❌ High
SSH tunnel	✅ Double (WG+SSH)	❌ None	❌ Medium

Evidence/examples

No response

Additional information

No response

[tareko]

The other network setup this seems to break is with docker, where the gateway and the CLI are on two separate "machines", but the internal network is functionally secure.

[amir0ff]

Update: Found a workaround using socat relay

I was able to work around this by setting up a local TCP relay with socat. The node connects to localhost:18789 (which satisfies the loopback check), and socat forwards the traffic over WireGuard to the actual Gateway.

How it works:

OpenClaw Node → localhost:18789 → socat → 10.10.152.1:18789 (Gateway via WireGuard)

Systemd service for the relay:

# ~/.config/systemd/user/openclaw-relay.service
[Unit]
Description=OpenClaw WireGuard Relay
After=network-online.target

[Service]
ExecStart=/usr/bin/socat TCP4-LISTEN:18789,fork,reuseaddr TCP4:10.10.152.1:18789
Restart=always
RestartSec=5

[Install]
WantedBy=default.target

Systemd service for the node:

# ~/.config/systemd/user/openclaw-node.service
[Unit]
Description=OpenClaw Node (v2026.2.23)
After=network-online.target openclaw-relay.service
Requires=openclaw-relay.service

[Service]
ExecStart=/bin/node/openclaw node run --host 127.0.0.1 --port 18789 --display-name Web-Server
Restart=always
RestartSec=5
KillMode=process
Environment="OPENCLAW_SYSTEMD_UNIT=openclaw-node.service"
Environment=OPENCLAW_SERVICE_KIND=node

[Install]
WantedBy=default.target

Enable and start:

systemctl --user daemon-reload
systemctl --user enable --now openclaw-relay.service
systemctl --user enable --now openclaw-node.service

Result: Node is now connected and working ✅

Regarding this issue:

The workaround works for my setup, but I'd still argue a native gateway.trustedNetworks config would be cleaner and more discoverable for other WireGuard/VPN users. Happy to close this if the maintainers prefer the workaround approach, or leave it open as a feature request for a future release.

[vincentkoc]

Fixed in Fixed in #28670

[amir0ff]

Fixed in Fixed in #28670

Vincent 🫡