#Tailscale Config

I am struggeling to correctly configure my remote gateway (hetzner) and then connect from my Mac to it using the Mac App.

I don't know whether is is the gateway server configuration or the mac app.

On the gateway server I started it with pnpm clawdbot gateway --tailscale serve.

My config at ~/.clawdbot/clawdbot.json has

  "gateway": {
    "port": 18789,
    "mode": "local",
    "bind": "loopback",
    "auth": {
      "mode": "token",
      "token": "redacted-token-1"
    },
    "tailscale": {
      "mode": "serve",
      "resetOnExit": true
    },
    "remote": {
      "url": "ws://127.0.0.1:18789",
      "token": "redacted-token-2"
    }
  },

And when I try to connect via the MacApp UI, entering root@2026-01-clawdbot under General>Clawbot Runs> Remote over SSH I get.

Gateway error: gateway connect: connect to gateway @ ws://127.0.0.1:18789: invalid connect params: data/client must have required property 'id'; data/client must NOT have additional properties; data/client/mode must be equal to constant; data/client/mode must be...

Note that I am running the tailscale mac client and it is connected to root@2026-01-clawdbot. I.e. I can ssh from the terminal into the machine.

Hey Michael! I can see the issue. A couple things are going on here:

1. The remote block in your server config is backwards

The remote section is for when a gateway connects to another gateway (outbound). You don't need it for accepting incoming connections. It's causing confusion.

2. For Tailscale serve mode, try this cleaner config:

{
  "gateway": {
    "port": 18789,
    "mode": "local",
    "bind": "loopback",
    "auth": {
      "mode": "token",

      "token": "your-token"
    },
    "tailscale": {
      "mode": "serve",
      "resetOnExit": true
    }
  }
}

Remove the remote block entirely on the server side.

3. The error itself looks like a version mismatch

The schema validation error (data/client must have required property 'id') suggests the Mac app and server gateway might be running different versions with incompatible handshake protocols.

Check versions on both sides:

# On your Hetzner server
pnpm clawdbot --version

# On your Mac (in terminal)
/usr/local/bin/clawdbot --version

If they differ, update both to the latest:

# Server
cd /path/to/clawdbot && git pull && pnpm install

# Mac - update via the app or:
brew upgrade clawdbot  # if installed via homebrew

4. Quick diagnostic

On the server, what does tailscale serve status show? The gateway should have registered a handler on port 18789.

Let me know what versions you're running and I can dig deeper! 🔧

Ok I upgraded and changed the config. I want to get thinks working on my mac via CLI first before going to the mac app. ok?

I configured my MacOs clawdbot with the onboard command as "remote":

{
  "messages": {
    "ackReactionScope": "group-mentions"
  },
  "gateway": {
    "mode": "remote",
    "remote": {
      "url": "ws://127.0.0.1:18789",
      "token": "redacted"
    }
  },
  "wizard": {
    "lastRunAt": "2026-01-11T19:02:05.587Z",
    "lastRunVersion": "2026.1.10",
    "lastRunCommand": "onboard",
    "lastRunMode": "remote"
  }
}

I opened a tunnel via ssh -N -L 18789:127.0.0.1:18789 root@2026-01-clawdbot.

Now when i run, on Mac pnpm clawdbot status --deep I get:

(see attached message)

So we are not using tailscale? What did I configure wrongly and how do I use tailscale?

Also, do I need to set up a language model provider on my Mac? Or is the expectation correct that once the gateway is configured the language model would run there?

Good news - it's actually working! 🎉 Look at your status:

Gateway    │ remote · ws://127.0.0.1:18789 · reachable 88ms · 2026-01-clawdbot (116.203.101.48)

The SSH tunnel approach works. But you're right, you're not using Tailscale yet - you're doing manual SSH port forwarding.

To use Tailscale instead:

1. On your Hetzner server, make sure the config has:

{
  "gateway": {

    "port": 18789,
    "bind": "loopback",
    "tailscale": {
      "mode": "serve",
      "resetOnExit": true
    }
  }
}

Then restart the gateway. Run tailscale serve status to confirm it's serving on HTTPS.

2. On your Mac, change the remote URL to your Tailscale hostname:

{

  "gateway": {
    "mode": "remote",
    "remote": {
      "url": "wss://2026-01-clawdbot.<your-tailnet>.ts.net",
      "token": "your-token"
    }
  }
}

Note: wss:// (secure WebSocket) since Tailscale serve provides HTTPS.

You can find your tailnet domain with tailscale status on either machine.

Re: LLM providers on Mac

No, you don't need them on the Mac! That's the whole point of remote mode.

Your Mac is a thin client → all LLM calls go through the gateway → the server has your Anthropic/OpenAI keys and does the actual API calls.

The providers showing "SETUP" on your Mac status are for messaging (Telegram, Discord, etc.), not LLM. Those are configured on the server too.

TL;DR: Your current setup works. To switch from SSH tunnel → Tailscale, just change the remote.url to your Tailscale hostname and ensure the server has tailscale.mode: "serve" configured.

ok, so on the server i have in my config:

  "gateway": {
    "port": 18789,
    "mode": "local",
    "bind": "loopback",
    "auth": {
      "mode": "token",
      "token": "redacted"
    },
    "tailscale": {
      "mode": "serve",
      "resetOnExit": true
    }
  },

And on mac:

  "gateway": {
    "mode": "remote",
    "remote": {
      "url": "wss://2026-01-clawdbot.<redacted>.ts.net",
      "token": "redacted"
    }
  },

However:

> tsx src/entry.ts status --deep


:lobster: Clawdbot 2026.1.10 (e5bb5b5) — I'll butter your workflow like a lobster roll: messy, delicious, effective.

│
◇  

Error: gateway closed (1006 abnormal closure (no close frame)): no close reason
Gateway target: wss://2026-01-clawdbot.tail4b8ac4.ts.net
Source: config gateway.remote.url
Config: /Users/michaelfrohlich/.clawdbot/clawdbot.json
 ELIFECYCLE  Command failed with exit code 1.

Do we miss a port or what could be the issue?

The 1006 error means the connection opened but then immediately dropped - usually a Tailscale serve routing issue.

On your server, run:

tailscale serve status

This will show if the gateway actually registered with Tailscale. You should see something like:

https://2026-01-clawdbot.tail4b8ac4.ts.net (Funnel off)
|-- / proxy http://127.0.0.1:18789

If it's empty or shows nothing, the gateway didn't register.

Also check:

# Is the gateway actually running?
pnpm clawdbot status

# What's in the gateway logs?
journalctl -u clawdbot -n 50 --no-pager

Common issues:

1. Gateway not running - Tailscale serve only registers when the gateway starts
2. Tailscale not logged in - run tailscale status to verify
3. Serve permission - some tailnets require admin approval for serve

Let me know what tailscale serve status shows! 🦞

on the server I am seeing 19:25:35 [tailscale] serve failed: Command failed: tailscale serve --bg --yes 18789

Run it manually to see the full error:

tailscale serve --bg --yes 18789

And also:

tailscale status
tailscale version

Most likely causes:

1. Not logged in - tailscale up needed
2. Serve not enabled - check your Tailscale admin console → DNS → HTTPS Certificates must be enabled
3. Old version - serve needs Tailscale 1.30+

What does the manual command output? 🔍

ok great now it works – I had to enable "serve" in the admin dashboard.

🎉 Nice! That was it - Tailscale serve needs to be explicitly enabled in the admin console.

Now you've got a proper setup:

• No SSH tunnel needed - Tailscale handles the secure connection
• HTTPS/WSS by default - encrypted end-to-end
• Works from anywhere - as long as both machines are on your tailnet

Give pnpm clawdbot status --deep another try on your Mac - should connect cleanly now! 🦞

ok, now back to the macos app. if i try entering root@root@2026-01-clawdbot.<redacted>.ts.net here and press test, I get "Remote Control tunnel failed". How do i set this up properly?

I see the issue! The error says "Remote mode is not enabled" - this is a server-side setting.

The Mac app's "Remote over SSH" is a different mechanism from your CLI Tailscale setup. It SSHs in and looks for a control channel.

On your server config, you likely need to enable remote control:

{
  "gateway": {
    "port": 18789,
    "bind": "loopback",
    "auth": {
      "mode": "token",
      "token": "your-token"
    },
    "tailscale": {

      "mode": "serve",
      "resetOnExit": true
    },
    "control": {
      "enabled": true
    }
  }
}

Then restart the gateway on the server.

Alternatively, since your CLI setup already works via Tailscale, you could check if the Mac app can use the same config. Look in ~/.clawdbot/clawdbot.json on your Mac - you already have:

"gateway": {
  "mode": "remote",
  "remote": {
    "url": "wss://2026-01-clawdbot.xxx.ts.net",
    "token": "..."
  }
}

The Mac app might just need to detect this existing config rather than using "Remote over SSH". Try clicking "Not configured" and see if it picks up the existing remote config, or check under Advanced for a way to use an existing config file.

I am still getting: Remote control tunnel failed (Remote mode is not configured)

Ah, I see the confusion now! The Mac app's "Remote over SSH" option is a different mechanism from your Tailscale setup.

You've already got Tailscale working via CLI - you don't need the SSH option. The Mac app just needs to use the same config you already have.

Since your ~/.clawdbot/clawdbot.json on Mac already has:

"gateway": {
  "mode": "remote",
  "remote": {
    "url": "wss://2026-01-clawdbot.xxx.ts.net",
    "token": "..."
  }
}

The Mac app should pick that up automatically. Try:

1. Don't select "Remote over SSH" - that's for a different setup (SSH tunnel without Tailscale)
2. Click "Not configured" or look for an option to use existing config
3. Or quit and relaunch the Mac app - it should detect your existing remote gateway config

The Mac app has two paths:

• Remote over SSH → SSH tunnels to localhost:18789 (what you were trying)
• Remote via config → uses gateway.remote.url directly (what you want)

Since CLI already works, the app should just need to read the existing config. Does restarting the app pick up your Tailscale gateway? 🦞

ok so how do i set it up correctly then? Step by step?

Step-by-Step: Mac App → Remote Gateway via Tailscale

On your Hetzner server

1. Server config (~/.clawdbot/clawdbot.json or wherever your config lives):

{
  "gateway": {
    "port": 18789,
    "mode": "local",
    "bind": "loopback",
    "auth": {
      "mode": "token",
      "token": "pick-a-secure-token"
    },
    "tailscale": {

      "mode": "serve",
      "resetOnExit": true
    }
  }
}

2. Start/restart the gateway:

pnpm clawdbot start
# or if using systemd:
sudo systemctl restart clawdbot

3. Verify Tailscale serve is active:

tailscale serve status

Should show something like:

https://2026-01-clawdbot.tail4b8ac4.ts.net (Funnel off)
|-- / proxy http://127.0.0.1:18789

On your Mac

4. Make sure Tailscale is running and you're logged into the same tailnet.

5. Edit your Mac config at ~/.clawdbot/clawdbot.json:

{
  "gateway": {
    "mode": "remote",
    "remote": {
      "url": "wss://2026-01-clawdbot.tail4b8ac4.ts.net",
      "token": "pick-a-secure-token"
    }
  }
}

(Use the same token you set on the server)

6. Test via CLI first:

pnpm clawdbot status --deep

Should show Gateway: remote · wss://... · reachable

7. Launch the Mac app - it should read the config and connect automatically. In the app settings, leave it on "Not configured" (since config is already set via file).

That's it! The Mac app reads ~/.clawdbot/clawdbot.json and connects via Tailscale. No SSH needed. 🦞

and now I am suddenly getting the following in the console:

michaelfrohlich@Michaels-MacBook-Pro-2 clawdbot % pnpm clawdbot status --deep

clawdbot@2026.1.10 clawdbot /Users/michaelfrohlich/Repositories/clawdbot
tsx src/entry.ts status --deep

🦞 Clawdbot 2026.1.10 (e5bb5b5) — Your task has been queued; your dignity has been deprecated.

│
◇
gateway connect failed: Error: invalid connect params: data/client must have required property 'name'; data/client must NOT have additional properties
Error: gateway closed (1008): invalid handshake
Gateway target: ws://127.0.0.1:18789
Source: local loopback
Config: /Users/michaelfrohlich/.clawdbot/clawdbot.json
Bind: loopback
 ELIFECYCLE  Command failed with exit code 1.

Two issues here:

1. It's connecting locally, not to Tailscale

Gateway target: ws://127.0.0.1:18789
Source: local loopback

Your Mac config isn't set to remote mode. Check ~/.clawdbot/clawdbot.json:

cat ~/.clawdbot/clawdbot.json | grep -A5 '"gateway"'

Make sure it has:

"gateway": {

  "mode": "remote",
  "remote": {
    "url": "wss://2026-01-clawdbot.tail4b8ac4.ts.net",
    "token": "your-token"
  }
}

2. Version mismatch
The invalid connect params error means client/server are speaking different protocols.

Check versions:

# Mac
pnpm clawdbot --version

# Server (SSH in)
pnpm clawdbot --version

If they differ, update both to the same version:

git pull && pnpm install

The handshake schema changed recently - both sides need to match. 🔧

ok, so everytime I open the macos app it overwrite my ~/.clawdbot/clawdbot.json

Ahh, that's the issue! The Mac app is overwriting your config.

Options:

1. Configure through the Mac app UI directly
Look under Advanced in the app settings - there should be a way to set a custom gateway URL without using "Remote over SSH". Maybe a field for gateway URL/token.

2. Use the Connections tab
In your screenshot I saw a "Connections" tab in the app - check if there's a gateway/remote config option there.

3. CLI only (skip the app)
Since CLI works fine with your config, you could just use:

pnpm clawdbot start

And interact via terminal instead of the Mac app.