Node pairing through SSH tunnel: 401 on WebSocket upgrade

[kevin-freiburger]

I'm trying to pair two OpenClaw gateways as nodes to each other (bidirectional). Both are v2026.3.8. Gateway A (Windows) has gateway.bind: "lan" and gateway.auth.mode: "token".

Gateway B (EC2 Linux) connects to Gateway A via SSH reverse tunnel (ssh -R 18791:127.0.0.1:18789), then runs:

OPENCLAW_GATEWAY_TOKEN="<correct-token>" openclaw node run --host 127.0.0.1 --port 18791 --display-name "EC2-Gateway"

Result: node host gateway connect failed: Unexpected server response: 401

What works:

• Raw WebSocket from EC2 through the same tunnel with explicit Authorization: Bearer <token> header → HTTP 200 (upgrade succeeds)
• openclaw node run locally on the Windows gateway itself → gets past auth to "pairing required" (expected for new device)

What I've ruled out:

• Wrong token (verified matches gateway.auth.token)
• IPv6 (localhost vs 127.0.0.1 in tunnel target)
• sudo env stripping (tested as both ubuntu and openclaw users, also with clean OPENCLAW_HOME)
• Stale node.json (tested with fresh temp directory)

Theory: openclaw node run may not include the gateway token in the HTTP upgrade request headers — only at the WS protocol level. Local connections seem to be exempt from HTTP-level auth, but tunneled connections (which also arrive from 127.0.0.1) are not.

Questions:

1. Does openclaw node run pass the token in the HTTP Authorization header during WebSocket upgrade?
2. Is there a config option to allow unauthenticated WS upgrades when protocol-level auth will follow?
3. Any recommended approach for bidirectional node pairing between two gateways?

Related feature request: #42792 (--header support for Cloudflare Zero Trust service tokens)

[newcodebook]

A common gotcha here: openclaw node run must connect to the Gateway’s main WS/HTTP port (default 18789). Port 18791 is often the browser control service, and it will 401 a WS upgrade if you hit it by accident.

Quick fix / sanity checks

1. Verify your tunnel is actually pointing at the gateway port by probing over the tunnel:

• curl -i http://127.0.0.1:18791/probe

If that doesn’t look like the OpenClaw gateway probe response, you’re not reaching the gateway.

2. Prefer a straight mapping to the gateway port and use the default:

ssh -L 18789:127.0.0.1:18789 <user>@<windows-gateway-host>
OPENCLAW_GATEWAY_TOKEN="<token>" openclaw node run --host 127.0.0.1 --port 18789 --display-name "EC2-Gateway"

Why this helps: it removes ambiguity about which service you’re upgrading to, and the node host auth path is designed for the gateway WS port.

If it’s still 401 after that

Please paste:

• The exact curl -i .../probe output over the tunnel
• The first ~20 lines of OPENCLAW_LOG_LEVEL=debug openclaw node run ...

Recommended reading:

• OpenClaw Control UI Auth & Pairing: Fix 'unauthorized', 1008, and Remote Dashboard Access
• OpenClaw Remote Browser Setup: Gateway on One Machine, Browser on Another

[steipete]

Closing this as not reproducible on current main after Codex review.

Current main does not support the issue theory. openclaw node run still authenticates after the WebSocket opens, via the connect payload, not via an HTTP Authorization header. The gateway WebSocket server upgrades first and only then sends connect.challenge, so a real gateway-port connection should not fail with HTTP 401 at upgrade time. The reported 18791 target matches the separate browser control service, which is documented as gateway.port + 2 and explicitly returns 401 unless bearer/password auth is present. The symptom therefore matches tunneling to the browser control service instead of the gateway WebSocket port.

What I checked:

• Node host targets the gateway WebSocket port and passes token/password into GatewayClient: runNodeHost builds ws://<host>:<port> from the node flags and passes token/password into GatewayClient; default port is 18789. (src/node-host/runner.ts:173, 564f820efa2b)
• Gateway client opens the socket without HTTP auth headers: GatewayClient.start() constructs new WebSocket(url, wsOptions) with payload/tls options only; no Authorization header is attached at upgrade time. (src/gateway/client.ts:282, 564f820efa2b)
• Gateway auth is sent after upgrade in the connect frame: After connect.challenge, GatewayClient.sendConnect() places token/bootstrapToken/deviceToken/password inside params.auth for the connect RPC. (src/gateway/client.ts:435, 564f820efa2b)
• Gateway server upgrades before auth and emits connect.challenge: The HTTP upgrade handler hands the request to wss.handleUpgrade(...), and the WS connection handler immediately emits connect.challenge; auth is then resolved from the connect message. (src/gateway/server-http.ts:1189, 564f820efa2b)
• Gateway auth decision uses connectAuth from the post-upgrade handshake: resolveConnectAuthState() authorizes shared auth from connectAuth supplied by the WS connect payload, not from the HTTP upgrade headers alone. (src/gateway/server/ws-connection/auth-context.ts:70, 564f820efa2b)
• Docs now point SSH-tunneled node hosts at the gateway port, not the browser control port: The current node docs tunnel local 18790 to gateway 127.0.0.1:18789 and run openclaw node run --port 18790. Public docs: docs/nodes/index.md. (docs/nodes/index.md:93, 564f820efa2b)

Review notes: reviewed against 564f820efa2b.