Skip to content

[Feature]: web_fetch should allow private IP access for users behind TUN/proxy (Fake-IP DNS issue) #60992

@prospect1314521

Description

@prospect1314521

Feature Request

Problem

When Chinese users (and many others) use a TUN mode proxy (V2RayN, Clash, etc.), the DNS resolver returns Fake-IP addresses (e.g., 198.18.x.x, 127.0.0.1) for all domains. This is a standard transparent proxy behavior.

When using web_fetch to access any URL in this scenario, it fails with:

[tools] web_fetch failed: Blocked: resolves to private/internal/special-use IP address raw_params={"url":"https://example.com"}

This is because web_fetch has a hardcoded SSRF protection that blocks all private/internal IPs. While this is a valid security measure, it completely breaks web_fetch for anyone using TUN mode — a very common setup in regions with restricted internet access.

Why existing workarounds don't work

  1. Changing DNS settings in the proxy — doesn't help because TUN mode intercepts all DNS at the network layer.
  2. Using curl instead — works as a workaround, but defeats the purpose of having a built-in web_fetch tool.
  3. Setting allowPrivateNetwork in config — this config option doesn't exist yet for web_fetch (unlike the browser tool which has ssrfPolicy).

Related Issues (unresolved)

Multiple users have reported this, but there's still no working solution.

Proposed Solutions

Option A (Preferred): Add a config option like tools.web.fetch.allowPrivateNetwork or tools.web.fetch.ssrfPolicy to let users opt-in to private IP access.

Option B: Detect when the Fake-IP range (198.18.0.0/15) is being used and apply a different resolution strategy (e.g., resolve through the proxy's DNS chain).

Option C: Document a reliable workaround for TUN mode users.

Environment

  • OpenClaw version: Latest
  • Proxy: V2RayN / Clash in TUN mode
  • OS: Windows / Linux / macOS
  • DNS: Fake-IP mode

Impact

This affects millions of users in China and other regions who rely on TUN proxies for daily internet access. The current web_fetch tool is essentially unusable for them when TUN is active.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions