Add Tailscale Serve support for WSL gateways#967
Conversation
|
Codex review: found issues before merge. Reviewed July 10, 2026, 6:34 PM ET / 22:34 UTC. Summary Reproducibility: yes. for the patch defect: current-head source directly shows the gateway service account being configured as the Tailscale operator. The requested Tailscale mode itself is a new capability rather than a current-main bug. Review metrics: 2 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Risk before merge
Maintainer options:
Next step before merge
Maintainer decision needed
Security Review findings
Review detailsBest possible solution: Keep Tailscale daemon and persistent Serve administration root-owned, preserve token and device authentication, and support tailnet identity only after explicit approval of its threat model and installer trust policy. Do we have a high-confidence way to reproduce the issue? Yes for the patch defect: current-head source directly shows the gateway service account being configured as the Tailscale operator. The requested Tailscale mode itself is a new capability rather than a current-main bug. Is this the best way to solve the issue? No, not yet; private Serve over a loopback gateway is focused, but daemon administration must remain least-privileged and the identity-authentication contract needs explicit maintainer approval. Full review comments:
Overall correctness: patch is incorrect AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against 622c0e27c6b0. Label changesLabel changes:
Label justifications:
Evidence reviewedSecurity concerns:
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
Review history (1 earlier review cycle)
|
|
The tailscale daemon needs to be in the openclaw account to allow openclaw to run I've addressed the other finding for parsing the |
|
Great improvement. If WSL/Tailscale path now changes, please call out migration expectations for existing gateway installs. |
Summary
wss://<wsl-node>.<tailnet>.ts.net; Tailscale identity authentication is trusted when enabled.Change Type (select all)
Scope (select all touched areas)
winnodeLinked Issue/PR
Validation
.\build.ps1dotnet test .\tests\OpenClaw.SetupEngine.Tests\OpenClaw.SetupEngine.Tests.csproj --no-restoredotnet test .\tests\OpenClaw.Shared.Tests\OpenClaw.Shared.Tests.csproj --no-restoredotnet test .\tests\OpenClaw.Tray.Tests\OpenClaw.Tray.Tests.csproj --no-restoregit diff --checkReal behavior proof
OpenClawGatewayWSL distro.12802b95 Add Tailscale Serve support for WSL gatewaysBackendState=Running;tailscaledandopenclaw-gateway.serviceactive.tailscale serve status --jsonreported HTTPS on port 443 proxying tohttp://127.0.0.1:18789..ts.netendpoint returned HTTP 200.TailscaleEnabled=true,IsLocalOnly=false, WSS gateway URL.wss://…ts.netrecord withSetupManagedDistroName=OpenClawGateway.gateway.auth.allowTailscale=true, Serve active, and node invocation succeeded.openclaw nodes invoke --node "Windows Node (...)" --command device.info --params '{}'returned"ok": true.tskey-*values and zero Tailscale authorization URLs.Security Impact (required)
Yes)Yes)Yes)No)No)Yes, explain risk + mitigation:gateway.auth.allowTailscale=true; tailnet ACLs therefore become an authorization control.Compatibility / Migration
Yes)Yes)No)--tailscale,--tailscale-auth browser|auth-key,--tailscale-hostname, andOPENCLAW_SETUP_TAILSCALE_AUTH_KEYfor auth-key mode.Review Conversations