fix: persist private ws opt-in for node services

2026-05-06 09:20:43 +00:00 · 2026-04-24 06:07:15 +01:00
parent 171322644d
commit d4e93e791b
4 changed files with 30 additions and 0 deletions
--- a/docs/cli/node.md
+++ b/docs/cli/node.md
@@ -74,6 +74,11 @@ Options:
 - In `gateway.mode=remote`, remote client fields (`gateway.remote.token` / `gateway.remote.password`) are also eligible per remote precedence rules.
 - Node host auth resolution only honors `OPENCLAW_GATEWAY_*` env vars.

+For a node connecting to a non-loopback `ws://` Gateway on a trusted private
+network, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`. Without it, node startup
+fails closed and asks you to use `wss://`, an SSH tunnel, or Tailscale.
+`openclaw node install` persists this opt-in into the supervised node service.
+
 ## Service (background)

 Install a headless node host as a user service.
--- a/docs/plugins/google-meet.md
+++ b/docs/plugins/google-meet.md
@@ -136,6 +136,22 @@ Start the node host in the VM:
 openclaw node run --host <gateway-host> --port 18789 --display-name parallels-macos
 ```

+If `<gateway-host>` is a LAN IP and you are not using TLS, the node refuses the
+plaintext WebSocket unless you opt in for that trusted private network:
+
+```bash
+OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 \
+  openclaw node run --host <gateway-lan-ip> --port 18789 --display-name parallels-macos
+```
+
+Use the same environment variable when installing the node as a LaunchAgent:
+
+```bash
+OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 \
+  openclaw node install --host <gateway-lan-ip> --port 18789 --display-name parallels-macos --force
+openclaw node restart
+```
+
 Approve the node from the Gateway host:

 ```bash