bug: CLI vs Addon gateway state mismatch when using tailscale + reverse proxy #90
Description
Pre-flight checks
- I updated to the latest add-on version and restarted it.
- I checked the docs/troubleshooting section first.
What happened?
tailnet_https w/ Reverse Proxy mode shows gateway running, but terminal output says it's not. This effecively makes openclaw unhealthy and unusable.
What did you expect to happen?
Openclaw CLI to align with Assistant Add-on state.
Steps to reproduce
- Start addon
- Open web ui
- Run any openclaw cli command
- See error
Add-on version
0.5.55
OpenClaw version (if known)
2026.2.24
Access mode
tailnet_https
Relevant add-on configuration (redacted)
timezone: America/New_York
enable_terminal: true
terminal_port: 7681
gateway_public_url: https://openclaw-gateway.<domain>.com
homeassistant_token: ""
http_proxy: ""
router_ssh_host: ""
router_ssh_user: ""
router_ssh_key_path: /data/keys/router_ssh
clean_session_locks_on_start: true
clean_session_locks_on_exit: true
gateway_mode: local
gateway_remote_url: ""
gateway_bind_mode: tailnet
gateway_port: 18789
access_mode: tailnet_https
gateway_auth_mode: token
gateway_trusted_proxies: 172.30.33.3/32
gateway_additional_allowed_origins: >-
https://homeassistant.<domain>.ts.net:18789,https://openclaw-node.<domain>.ts.net:18789
enable_openai_api: true
force_ipv4_dns: true
nginx_log_level: minimal
gateway_env_vars: []Add-on logs
2026-03-06T14:52:37.218Z [ws] closed before connect conn=c43b1c6a-468d-4120-b191-26762c874fcd remote=172.30.33.3 fwd=172.30.32.1 origin=n/a host=openclaw-gateway.<domain>.com ua=OpenClaw/12195 CFNetwork/3860.400.51 Darwin/25.3.0 code=1008 reason=pairing required
2026-03-06T14:53:07.728Z [gateway] security audit: device access upgrade requested reason=role-upgrade device=6a647efbd9d8a55e64884a5e4b35fd3e55405c339680182b3803e1d6093d94ac ip=172.30.32.1 auth=token roleFrom=node roleTo=operator scopesFrom=<none> scopesTo=operator.admin,operator.approvals,operator.pairing client=openclaw-macos conn=5c865522-145f-4ba4-8b50-0f207ceb7293
2026-03-06T14:53:07.767Z [ws] closed before connect conn=5c865522-145f-4ba4-8b50-0f207ceb7293 remote=172.30.33.3 fwd=172.30.32.1 origin=n/a host=openclaw-gateway.<domain>.com ua=OpenClaw/12195 CFNetwork/3860.400.51 Darwin/25.3.0 code=1008 reason=pairing required
2026-03-06T14:53:38.260Z [gateway] security audit: device access upgrade requested reason=role-upgrade device=6a647efbd9d8a55e64884a5e4b35fd3e55405c339680182b3803e1d6093d94ac ip=172.30.32.1 auth=token roleFrom=node roleTo=operator scopesFrom=<none> scopesTo=operator.admin,operator.approvals,operator.pairing client=openclaw-macos conn=2d478cfd-91b8-4257-8836-cfaa0686474e
2026-03-06T14:53:38.378Z [ws] closed before connect conn=2d478cfd-91b8-4257-8836-cfaa0686474e remote=172.30.33.3 fwd=172.30.32.1 origin=n/a host=openclaw-gateway.<domain>.com ua=OpenClaw/12195 CFNetwork/3860.400.51 Darwin/25.3.0 code=1008 reason=pairing required
2026-03-06T14:54:08.808Z [gateway] security audit: device access upgrade requested reason=role-upgrade device=6a647efbd9d8a55e64884a5e4b35fd3e55405c339680182b3803e1d6093d94ac ip=172.30.32.1 auth=token roleFrom=node roleTo=operator scopesFrom=<none> scopesTo=operator.admin,operator.approvals,operator.pairing client=openclaw-macos conn=a3bfb03f-b899-4eeb-8ad4-deb06e371e0a
2026-03-06T14:54:08.829Z [ws] closed before connect conn=a3bfb03f-b899-4eeb-8ad4-deb06e371e0a remote=172.30.33.3 fwd=172.30.32.1 origin=n/a host=openclaw-gateway.<domain>.com ua=OpenClaw/12195 CFNetwork/3860.400.51 Darwin/25.3.0 code=1008 reason=pairing required
2026-03-06T14:54:38.993Z [gateway] security audit: device access upgrade requested reason=role-upgrade device=6a647efbd9d8a55e64884a5e4b35fd3e55405c339680182b3803e1d6093d94ac ip=172.30.32.1 auth=token roleFrom=node roleTo=operator scopesFrom=<none> scopesTo=operator.admin,operator.approvals,operator.pairing client=openclaw-macos conn=813cdc82-e361-4bc7-8c46-6a9abf8d0433
2026-03-06T14:54:39.021Z [ws] closed before connect conn=813cdc82-e361-4bc7-8c46-6a9abf8d0433 remote=172.30.33.3 fwd=172.30.32.1 origin=n/a host=openclaw-gateway.<domain>.com ua=OpenClaw/12195 CFNetwork/3860.400.51 Darwin/25.3.0 code=1008 reason=pairing required
2026-03-06T14:55:09.605Z [gateway] security audit: device access upgrade requested reason=role-upgrade device=6a647efbd9d8a55e64884a5e4b35fd3e55405c339680182b3803e1d6093d94ac ip=172.30.32.1 auth=token roleFrom=node roleTo=operator scopesFrom=<none> scopesTo=operator.admin,operator.approvals,operator.pairing client=openclaw-macos conn=e77c3086-bf67-4dd9-a6a5-8b57c5dc77b8
2026-03-06T14:55:09.623Z [ws] closed before connect conn=e77c3086-bf67-4dd9-a6a5-8b57c5dc77b8 remote=172.30.33.3 fwd=172.30.32.1 origin=n/a host=openclaw-gateway.<domain>.com ua=OpenClaw/12195 CFNetwork/3860.400.51 Darwin/25.3.0 code=1008 reason=pairing required
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
[2026/03/06 09:55:18:7404] N: received signal: SIGTERM (15), exiting...
[2026/03/06 09:55:18:7405] N: send ^C to force exit.
2026/03/06 09:55:18 [notice] 198#198: signal 15 (SIGTERM) received from 17, exiting
[2026/03/06 09:55:18:7406] N: WS closed from 127.0.0.1, clients: 0
[2026/03/06 09:55:18:7406] N: killing process, pid: 7009
Shutdown requested; stopping services...
2026/03/06 09:55:18 [notice] 198#198: signal 15 (SIGTERM) received from 79, exiting
2026/03/06 09:55:18 [notice] 200#200: signal 15 (SIGTERM) received from 17, exiting
2026/03/06 09:55:18 [notice] 200#200: exiting
2026/03/06 09:55:18 [notice] 200#200: exit
2026-03-06T14:55:18.761Z [gateway] signal SIGTERM received
2026/03/06 09:55:18 [notice] 198#198: signal 17 (SIGCHLD) received from 200
2026/03/06 09:55:18 [notice] 198#198: worker process 200 exited with code 0
2026/03/06 09:55:18 [notice] 198#198: exit
2026-03-06T14:55:18.775Z [gateway] received SIGTERM; shutting down
2026-03-06T14:55:18.797Z [gateway] signal SIGTERM received
2026-03-06T14:55:18.803Z [gateway] received SIGTERM during shutdown; ignoring
2026-03-06T14:55:18.808Z [gateway] signal SIGTERM received
2026-03-06T14:55:18.815Z [gateway] received SIGTERM during shutdown; ignoring
2026-03-06T14:55:18.909Z [gmail-watcher] gmail watcher stopped
2026-03-06T14:55:18.936Z [ws] webchat disconnected code=1012 reason=service restart conn=c2049a69-183f-4fe2-9d74-93cdb0ecec03
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
DEBUG: enable_terminal config value: 'true'
DEBUG: terminal_port config value: '7681' (validated)
INFO: Access mode: tailnet_https (Tailscale bind + token auth)
INFO: Enabled IPv4-first DNS ordering (NODE_OPTIONS=--dns-result-order=ipv4first)
INFO: Synced built-in skills to persistent storage at /config/.openclaw/skills
INFO: Synced Homebrew updates to persistent storage
INFO: Gateway settings already correct (mode=local, remoteUrl=, bind=tailnet, port=18789, chatCompletions=True, authMode=token, trustedProxies=['172.30.33.3/32'])
INFO: controlUi already correct: origins=['https://openclaw-gateway.<domain>.com', 'https://homeassistant.<domain>.ts.net:18789', 'http://homeassistant.<domain>.ts.net:18789', 'http://openclaw-node.<domain>.ts.net:18789', 'https://openclaw-node.<domain>.ts.net:18789'], deviceAuth=disabled
Starting OpenClaw Assistant runtime (openclaw)...
Starting web terminal (ttyd) on 127.0.0.1:7681 ...
ttyd started with PID 169
[2026/03/06 09:56:17:9589] N: ttyd 1.7.7-40e79c7 (libwebsockets 4.3.3-unknown)
[2026/03/06 09:56:17:9590] N: tty configuration:
[2026/03/06 09:56:17:9590] N: start command: bash
[2026/03/06 09:56:17:9590] N: close signal: SIGHUP (1)
[2026/03/06 09:56:17:9590] N: terminal type: xterm-256color
[2026/03/06 09:56:17:9590] N: endpoints:
[2026/03/06 09:56:17:9590] N: base-path: /terminal
[2026/03/06 09:56:17:9590] N: index : /terminal/
[2026/03/06 09:56:17:9590] N: token : /terminal/token
[2026/03/06 09:56:17:9590] N: websocket: /terminal/ws
[2026/03/06 09:56:17:9601] N: lws_create_context: LWS: 4.3.3-unknown, MbedTLS-2.28.5 NET SRV H1 H2 WS ConMon IPV6-off
[2026/03/06 09:56:17:9614] N: elops_init_pt_uv: Using foreign event loop...
[2026/03/06 09:56:17:9615] N: __lws_lc_tag: ++ [wsi|0|pipe] (1)
[2026/03/06 09:56:17:9616] N: __lws_lc_tag: ++ [vh|0|netlink] (1)
[2026/03/06 09:56:17:9617] N: __lws_lc_tag: ++ [vh|1|default|127.0.0.1|127.0.0.1|7681] (2)
[2026/03/06 09:56:17:9631] N: [vh|1|default|127.0.0.1|127.0.0.1|7681]: lws_socket_bind: source ads 127.0.0.1
[2026/03/06 09:56:17:9631] N: __lws_lc_tag: ++ [wsi|1|listen|default|127.0.0.1|7681] (2)
[2026/03/06 09:56:17:9631] N: Listening on port: 7681
[2026/03/06 09:56:17:9635] W: _lws_smd_msg_send: rejecting message on queue depth 40
[2026/03/06 09:56:17:9635] W: _lws_smd_msg_send: rejecting message on queue depth 40
[2026/03/06 09:56:17:9635] W: _lws_smd_msg_send: rejecting message on queue depth 40
[2026/03/06 09:56:17:9635] W: _lws_smd_msg_send: rejecting message on queue depth 40
[2026/03/06 09:56:17:9635] W: _lws_smd_msg_send: rejecting message on queue depth 40
INFO: Disk usage: 77G/114G (70% used, 33G free)
Starting ingress proxy (nginx) on :48099 ...
2026/03/06 09:56:19 [notice] 198#198: using the "epoll" event method
2026/03/06 09:56:19 [notice] 198#198: nginx/1.22.1
2026/03/06 09:56:19 [notice] 198#198: OS: Linux 6.12.67-haos
2026/03/06 09:56:19 [notice] 198#198: getrlimit(RLIMIT_NOFILE): 1024:524288
2026/03/06 09:56:19 [notice] 198#198: start worker processes
2026/03/06 09:56:19 [notice] 198#198: start worker process 200
nginx started with PID 198
│
◇ Doctor warnings ────────────────────────────────────────────────────────╮
│ │
│ - channels.telegram.groupPolicy is "allowlist" but groupAllowFrom (and │
│ allowFrom) is empty — all group messages will be silently dropped. │
│ Add sender IDs to channels.telegram.groupAllowFrom or │
│ channels.telegram.allowFrom, or set groupPolicy to "open". │
│ │
├──────────────────────────────────────────────────────────────────────────╯
[2026/03/06 09:56:34:6768] N: __lws_lc_tag: ++ [wsisrv|0|adopted] (1)
[2026/03/06 09:56:34:6770] N: HTTP /terminal/ - 127.0.0.1
[2026/03/06 09:56:34:6837] N: __lws_lc_untag: -- [wsisrv|0|adopted] (0) 6.941ms
172.30.32.2 - - [06/Mar/2026:09:56:34 -0500] "GET /terminal/ HTTP/1.1" 200 191356 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
[2026/03/06 09:56:34:7908] N: __lws_lc_tag: ++ [wsisrv|1|adopted] (1)
[2026/03/06 09:56:34:7910] N: HTTP /terminal/token - 127.0.0.1
172.30.32.2 - - [06/Mar/2026:09:56:34 -0500] "GET /terminal/token HTTP/1.1" 200 13 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
[2026/03/06 09:56:34:7914] N: __lws_lc_untag: -- [wsisrv|1|adopted] (0) 655μs
[2026/03/06 09:56:34:8502] N: __lws_lc_tag: ++ [wsisrv|2|adopted] (1)
[2026/03/06 09:56:34:8505] N: WS /terminal/ws - 127.0.0.1, clients: 1
[2026/03/06 09:56:34:8532] N: started process, pid: 205
Additional context
How can we get the openclaw gateway / addon to report as healthy, while connecting to it externally from tailnet vs reverse proxy?
Open claw CLI output:
root@17e0cc66-openclaw-assistant:/# openclaw logs --follow
🦞 OpenClaw 2026.3.2 (85377a2) — I don't judge, but your missing API keys are absolutely judging you.
│
◇ Doctor warnings ──────────────────────────────────────────────────────────────────────────╮
│ │
│ - channels.telegram.groupPolicy is "allowlist" but groupAllowFrom (and allowFrom) is │
│ empty — all group messages will be silently dropped. Add sender IDs to │
│ channels.telegram.groupAllowFrom or channels.telegram.allowFrom, or set groupPolicy to │
│ "open". │
│ │
├────────────────────────────────────────────────────────────────────────────────────────────╯
Gateway not reachable. Is it running and accessible?
Gateway target: ws://127.0.0.1:18789
Source: local loopback
Config: /config/.openclaw/openclaw.json
Bind: tailnet
Hint: run `openclaw doctor`.
root@17e0cc66-openclaw-assistant:/# openclaw doctor
🦞 OpenClaw 2026.3.2 (85377a2) — I speak fluent bash, mild sarcasm, and aggressive tab-completion energy.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██░▄▄▄░██░▄▄░██░▄▄▄██░▀██░██░▄▄▀██░████░▄▄▀██░███░██
██░███░██░▀▀░██░▄▄▄██░█░█░██░█████░████░▀▀░██░█░█░██
██░▀▀▀░██░█████░▀▀▀██░██▄░██░▀▀▄██░▀▀░█░██░██▄▀▄▀▄██
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
🦞 OPENCLAW 🦞
┌ OpenClaw doctor
│
◇ Update ──────────────────────────────────────────────────────────────────────────────────╮
│ │
│ This install is not a git checkout. │
│ Run `openclaw update` to update via your package manager (npm/pnpm), then rerun doctor. │
│ │
├───────────────────────────────────────────────────────────────────────────────────────────╯
│
◇ Startup optimization ─────────────────────────────────────────────────────────────────────╮
│ │
│ - NODE_COMPILE_CACHE is not set; repeated CLI runs can be slower on small hosts (Pi/VM). │
│ - OPENCLAW_NO_RESPAWN is not set to 1; set it to avoid extra startup overhead from │
│ self-respawn. │
│ - Suggested env for low-power hosts: │
│ export NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache │
│ mkdir -p /var/tmp/openclaw-compile-cache │
│ export OPENCLAW_NO_RESPAWN=1 │
│ │
├────────────────────────────────────────────────────────────────────────────────────────────╯
│
◇ Doctor warnings ──────────────────────────────────────────────────────────────────────────╮
│ │
│ - channels.telegram.groupPolicy is "allowlist" but groupAllowFrom (and allowFrom) is │
│ empty — all group messages will be silently dropped. Add sender IDs to │
│ channels.telegram.groupAllowFrom or channels.telegram.allowFrom, or set groupPolicy to │
│ "open". │
│ │
├────────────────────────────────────────────────────────────────────────────────────────────╯
│
◇ State integrity ─────────────────────────────────────────────────────────────────────────╮
│ │
│ - State directory appears to be on SD/eMMC storage (~/.openclaw; device /dev/mmcblk1p4, │
│ fs ext4, mount ~). │
│ - SD/eMMC media can be slower for random I/O and wear faster under session/log churn. │
│ - For better startup and state durability, prefer SSD/NVMe (or USB SSD on Raspberry Pi) │
│ for OPENCLAW_STATE_DIR. │
│ │
├───────────────────────────────────────────────────────────────────────────────────────────╯
│
◇ Security ───────────────────────────────────────────────────────────────────────────╮
│ │
│ - WARNING: Gateway bound to "tailnet" (100.67.80.40) (network-accessible). │
│ Ensure your auth credentials are strong and not exposed. │
│ Safer remote access: keep bind loopback and use Tailscale Serve/Funnel or an SSH │
│ tunnel. │
│ Example tunnel: ssh -N -L 18789:127.0.0.1:18789 user@gateway-host │
│ Docs: https://docs.openclaw.ai/gateway/remote │
│ - Run: openclaw security audit --deep │
│ │
├──────────────────────────────────────────────────────────────────────────────────────╯
│
◇ Skills status ────────────╮
│ │
│ Eligible: 8 │
│ Missing requirements: 43 │
│ Blocked by allowlist: 0 │
│ │
├────────────────────────────╯
│
◇ Plugins ──────╮
│ │
│ Loaded: 5 │
│ Disabled: 33 │
│ Errors: 0 │
│ │
├────────────────╯
│
◇
│
◇ Gateway ──────────────╮
│ │
│ Gateway not running. │
│ │
├────────────────────────╯
│
◇ Gateway connection ──────────────────────╮
│ │
│ Gateway target: ws://127.0.0.1:18789 │
│ Source: local loopback │
│ Config: /config/.openclaw/openclaw.json │
│ Bind: tailnet │
│ │
├───────────────────────────────────────────╯
│
◇ Gateway port ──────────────────────────────────────────────────────────────────────────╮
│ │
│ Port 18789 is already in use. │
│ - Port is in use but process details are unavailable (install lsof or run as an admin │
│ user). │
│ │
├─────────────────────────────────────────────────────────────────────────────────────────╯
│
◇ Gateway ────────────────────────────────────────────────────────────────────────────────╮
│ │
│ systemd user services are unavailable; install/enable systemd or run the gateway under │
│ your supervisor. │
│ If you're in a container, run the gateway in the foreground instead of `openclaw │
│ gateway`. │
│ │
├──────────────────────────────────────────────────────────────────────────────────────────╯
Run "openclaw doctor --fix" to apply changes.
│
└ Doctor complete.
root@17e0cc66-openclaw-assistant:/#