Docs/doctor request: clarify gateway reachability for OrbStack/WSL/VM/Tailscale setups

[oneandrewwang]

Summary

During a Mac mini OrbStack + Windows/WSL2 era, it was difficult to distinguish OpenClaw gateway bind behavior from VM/NAT/Tailscale reachability constraints. We used reverse SSH/Tailscale workarounds and at times misdiagnosed environment networking as an OpenClaw LAN binding problem.

This is probably not a core OpenClaw bug. It is a docs/doctor UX request.

Environment

• Mac mini M4 running OpenClaw inside OrbStack/Debian VM
• Windows PC / WSL2 local inference host
• Tailscale and reverse SSH tunnels used at different points
• Historical WSL2 subnet addresses like 172.26.x.x

Expected behavior

Docs/doctor should help users answer:

• Is gateway bound to 127.0.0.1 or 0.0.0.0?
• Is the address reachable from LAN, host, VM, WSL2, or only loopback?
• Should this deployment use Tailscale Serve/node pairing instead?
• When is reverse SSH appropriate?
• What security warnings apply before binding to LAN?

Actual behavior

Troubleshooting required ad hoc checks/tunnels and memory notes. It was easy to confuse VM/WSL NAT behavior with OpenClaw gateway config.

Suggested improvement

Add openclaw doctor gateway-reachability or a docs section covering:

1. local curl health
2. bind address detection
3. VM NAT / OrbStack caveats
4. WSL2 172.x LAN-unreachability caveat
5. Tailscale Serve/node route recommendation
6. reverse tunnel fallback
7. security warning for broad bind/reverse proxy headers

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main covers generic Gateway remote access, probe output, bind behavior, and exposure warnings, but it still lacks the requested OrbStack/WSL2/VM NAT reachability checklist or dedicated doctor reachability mode; open PR #73249 already targets this and should be resolved first.

Reproducibility: not applicable. as a runtime bug reproduction; this is a docs/doctor UX request. The high-confidence verification path is current docs/source inspection plus the open closing PR context.

Next step
Open PR #73249 already targets this issue with closing syntax, so a second ClawSweeper repair job should not be queued.

Review details

Best possible solution:

Land or replace PR #73249 with a focused Gateway reachability checklist, then add doctor behavior later only if the documented probe flow remains insufficient.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a runtime bug reproduction; this is a docs/doctor UX request. The high-confidence verification path is current docs/source inspection plus the open closing PR context.

Is this the best way to solve the issue?

Yes for triage: keeping this issue open while PR #73249 is reviewed is the narrowest maintainable path. A docs-first fix fits the evidence better than adding new doctor behavior before maintainer product review.

What I checked:

• Open closing PR: Provided GitHub context shows PR docs(gateway): clarify reachability across VMs and tailnets #73249 is open, unmerged, and includes closing syntax for this issue; PR docs(gateway): clarify VM and WSL reachability #73236 attempted similar docs work and was closed unmerged. (257b940e4eef)
• Remote docs are generic: The current Remote access page explains loopback, SSH forwarding, Tailscale Serve, and security rules, but it does not include an OrbStack/WSL2/VM NAT checklist. Public docs: docs/gateway/remote.md. (docs/gateway/remote.md:15, 2a22eb68aafd)
• Gateway probe docs lack environment triage: The gateway probe reference describes local/remote targets, JSON fields, and warning codes, but not the requested VM, OrbStack, WSL2 172.x, or NAT decision flow. Public docs: docs/cli/gateway.md. (docs/cli/gateway.md:301, 2a22eb68aafd)
• Doctor has no reachability mode: The registered doctor command exposes repair, force, non-interactive, generate-token, and deep-scan flags only; no gateway-reachability subcommand or option is present. (src/cli/program/register.maintenance.ts:13, 2a22eb68aafd)
• Targeted wording search: A targeted search found no current Gateway docs/source surface for OrbStack, gateway-reachability, VM/NAT, reverse tunnel, reverse SSH, or 172.x checklist wording in the relevant paths. (2a22eb68aafd)
• Runtime bind behavior is separately covered: Gateway bind resolution already distinguishes loopback, lan, tailnet, auto, and custom modes, supporting this as a docs/doctor UX gap rather than a clear bind regression. (src/gateway/net.ts:214, 2a22eb68aafd)

Likely related people:

• pfrederiksen: Provided GitHub context shows PR docs(gateway): clarify reachability across VMs and tailnets #73249 directly targets this issue with closing syntax, and earlier PR docs(gateway): clarify VM and WSL reachability #73236 attempted the same Gateway reachability docs change. (role: open fix PR author and likely follow-up owner; confidence: high; commits: 257b940e4eef, 852e67122f46; files: docs/gateway/remote.md, docs/gateway/troubleshooting.md)
• steipete: The prior ClawSweeper review context routes recent Gateway remote docs, probe docs, and doctor registration maintenance on the central paths to this maintainer. (role: recent gateway docs and CLI maintainer; confidence: medium; commits: bb294bcd20eb; files: docs/gateway/remote.md, docs/cli/gateway.md, src/cli/program/register.maintenance.ts)

Remaining risk / open question:

• Maintainers still need to decide whether PR docs(gateway): clarify reachability across VMs and tailnets #73249's docs-only approach is enough or whether a future doctor reachability command is warranted.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 2a22eb68aafd.