🦞ClawTips
← Back to library

Tailscale Serve + Webchat 报 1008 pairing required:可执行排障手册

问题/场景:OpenClaw 仪表盘经 Tailscale Serve 反代访问时,Webchat 握手失败并报 `disconnected (1008): pairing required`。前置条件:Docker/主机部署、`gateway.bind=loopback`、可改反代与 trusted proxy。实施步骤:复现实验→核对 XFF 与 socket 来源→验证 `.ts.net` 主机判断路径→采用 SSH tunnel 临时绕行。关键命令:Tailscale serve、SSH 本地转发。验证:连接持续稳定且不再触发 pairing 错误。风险:误配 trusted proxy 会放大伪造头风险。

GITHUBDiscovered 2026-02-19Author jukha-giju
Prerequisites
  • OpenClaw dashboard is exposed via Tailscale Serve to a `.ts.net` hostname.
  • You can inspect gateway logs and adjust reverse-proxy / trusted proxy settings.
Steps
  1. Reproduce issue with current setup (`gateway.bind: loopback`, Tailscale Serve to 127.0.0.1:18789) and capture close code 1008 evidence.
  2. Inspect whether proxy headers are trusted and what `X-Forwarded-For` resolves to during auth checks.
  3. Validate `.ts.net` host path logic against runtime behavior; confirm whether local-direct detection exits before host check.
  4. Apply temporary workaround: use SSH local tunnel to localhost dashboard endpoint instead of Tailscale Serve path.
  5. Track upstream fix and re-test serve-based access after patch release before removing workaround.
Commands
openclaw gateway status
openclaw gateway restart
ssh -N -L 8081:127.0.0.1:18789 <host>
Verify

Dashboard/webchat handshake succeeds continuously via workaround path and no `pairing required` disconnect appears during repeated sessions.

Caveats
  • Issue report is environment-specific (Docker host networking + Tailscale Serve); behavior may differ in non-host-network setups(需验证).
  • Do not broadly trust forwarded headers from unverified proxies; this weakens auth boundary.
Source attribution

This tip is aggregated from community/public sources and preserved with attribution.

Open original source ↗
Visit original post