#Error starting on fresh install

Hello, looking for help on fresh install on fedora. Followed install.sh setup and ended with "gateway connect failed: Error: pairing required" in repeat. Reinstalled 3 times always the same issue.. . any help ?

That error is usually the Control UI (browser) hitting the Gateway from a “new device”. For any non-loopback URL (LAN IP, hostname, Tailscale, etc.), OpenClaw requires a one-time device pairing approval.

Fix (most common)

1. In your browser, make sure you’re opening the UI either:

• On the Fedora box itself: http://127.0.0.1:18789/ (loopback is auto-approved), not http://<lan-ip>:18789/

OR, if you do want to access it remotely (LAN/Tailscale):

2. On the Fedora machine, approve the pending browser device:

openclaw devices list
openclaw devices approve <requestId>

3. Refresh the Control UI page and reconnect.

Docs reference: https://docs.openclaw.ai/web/control-ui#device-pairing-first-connection

If it still loops

Reply with (paste output):

openclaw --version
openclaw gateway status
openclaw devices list

…and tell me what exact URL you’re opening in the browser (127.0.0.1 vs LAN IP vs Tailscale).

I did end the setup using Hatch in TUI. for informaiton. I'm not able to show "openclaw devices list" it's gaving me error.

Here some logs :

[fedora@Host-004 ~]$ openclaw --version
openclaw gateway status
openclaw devices list
2026.2.19-2

🦞 OpenClaw 2026.2.19-2 (45d9b20) — Type the command with confidence—nature will provide the stack trace if needed.

│
gateway connect failed: Error: pairing required
◇
Service: systemd (enabled)
File logs: /tmp/openclaw/openclaw-2026-02-20.log
Command: /usr/bin/node /home/fedora/.npm-global/lib/node_modules/openclaw/dist/index.js gateway --port 18789
Service file: ~/.config/systemd/user/openclaw-gateway.service
Service env: OPENCLAW_GATEWAY_PORT=18789

Config (cli): ~/.openclaw/openclaw.json
Config (service): ~/.openclaw/openclaw.json

Gateway: bind=loopback (127.0.0.1), port=18789 (service args)
Probe target: ws://127.0.0.1:18789
Dashboard: http://127.0.0.1:18789/
Probe note: Loopback-only gateway; only local clients can connect.

Runtime: running (pid 1552858, state active, sub running, last exit 0, reason 0)
Warm-up: launch agents can take a few seconds. Try again shortly.
RPC probe: failed
RPC target: ws://127.0.0.1:18789
gateway closed (1008): pairing required
Gateway target: ws://127.0.0.1:18789
Source: cli --url
Config: /home/fedora/.openclaw/openclaw.json

Port 18789 is already in use.

• pid 1552858 fedora: openclaw-gateway (127.0.0.1:18789)
• Gateway already running locally. Stop it (openclaw gateway stop) or use a different port.
  Listening: 127.0.0.1:18789
  Troubles: run openclaw status
  Troubleshooting: https://docs.openclaw.ai/troubleshooting

🦞 OpenClaw 2026.2.19-2 (45d9b20) — I'm like tmux: confusing at first, then suddenly you can't live without me.

│
◇
[openclaw] Failed to start CLI: Error: gateway closed (1006 abnormal closure (no close frame)): no close reason
Gateway target: ws://127.0.0.1:18789
Source: local loopback

Yeah that output is useful: your gateway service is running, but every WS client (even the CLI on the same box) is getting kicked with:

gateway closed (1008): pairing required

On a loopback gateway (127.0.0.1) that should normally auto-approve the “local device” and not require pairing. When it does require pairing on loopback, it usually means the gateway is not treating the connection as “local direct” — most commonly because:

1. the request has a non-local Host header (e.g. you’re connecting via ws://Host-004:18789 / ws://<hostname>:18789 even if it resolves to 127.0.0.1), or
2. there are proxy headers (x-forwarded-*) present, but the proxy isn’t configured as trusted.

1) Quick thing to try (often fixes it)

Run the CLI forcing the exact loopback URL (don’t use the hostname):

OPENCLAW_URL=ws://127.0.0.1:18789 openclaw gateway status
OPENCLAW_URL=ws://127.0.0.1:18789 openclaw devices list

Also check if you have any URL override set:

env | grep -i OPENCLAW

If you see OPENCLAW_URL=ws://Host-004:18789 (or similar), that’s very likely the culprit — unset it.

2) Let’s confirm via logs (this will tell us which of the 2 cases it is)

Please run:

openclaw logs --tail 200 | grep -Ei "proxy headers|host header|treating it as remote|pairing required"

If the log contains something like “Loopback connection with non-local Host header. Treating it as remote.” → we’ll fix it by using 127.0.0.1/localhost consistently (especially if you’re using an SSH tunnel, open the UI via http://localhost:18789, not your machine name).

If it mentions “Proxy headers detected from untrusted address” → we’ll sort out what proxy is in front (or set gateway.trustedProxies correctly).

Paste those matched log lines here (they shouldn’t include secrets).

not really...

openclaw logs | grep -Ei "proxy headers|host header|treating it as remote|pairing required"
Gateway not reachable. Is it running and accessible?
Gateway target: ws://127.0.0.1:18789
Source: local loopback
Config: /home/fedora/.openclaw/openclaw.json
Bind: loopback
Hint: run openclaw doctor.

Let's just allow bind not only on loopback but all private ip range class A B C

openclaw logs is (confusingly) a gateway RPC call, so if the CLI can’t complete the WS handshake, openclaw logs … will fail exactly like openclaw devices list does.

But your openclaw gateway status already told us where the file logs are:

• File logs: /tmp/openclaw/openclaw-2026-02-20.log

So please grep the file directly (this does not require gateway access):

grep -Ei "proxy headers|non-local Host header|Treating it as remote|pairing required|device pairing" \
  /tmp/openclaw/openclaw-*.log | tail -n 80

That should reveal whether you’re hitting the “loopback but non-local Host header” case or the “proxy headers from untrusted address” case (both make the gateway treat a local connection as “remote”, which triggers pairing).

Also paste this (it often explains it immediately):

env | egrep -i 'OPENCLAW_URL|OPENCLAW_.*URL|HTTP_PROXY|HTTPS_PROXY|ALL_PROXY|NO_PROXY'

About “bind to all private IP ranges”

OpenClaw doesn’t have a “bind to RFC1918 only” setting. It’s just:

• gateway.bind: "loopback" (default)
• gateway.bind: "lan" (0.0.0.0, all interfaces)
• gateway.bind: "tailnet" (Tailscale IP)
• gateway.bind: "custom"

If you set "lan", you must rely on a firewall to restrict who can hit the port, and you still won’t “avoid pairing” — remote browsers/devices will still require device approval.

So I’d rather fix why your local CLI is being treated as non-local first (because right now you can’t even run devices approve, and binding wider won’t help that).

Paste the grep output above and we’ll pinpoint it.

Here the logs.

"0":"\u001b[31mgateway connect failed: Error: pairing required\u001b[39m","_meta":{"runtime":"node","runtimeVersion":"22.22.0","hostname":"Host-004","name":"openclaw","date":"2026-02-20T11:15:50.367Z","logLevelId":5,"logLevelName":"ERROR","path":{"fullFilePath":"file:///home/fedora/.npm-global/lib/node_modules/openclaw/dist/entry.js:2071:68","fileName":"entry.js","fileNameWithLine":"entry.js:2071","fileColumn":"68","fileLine":"2071","filePath":".npm-global/lib/node_modules/openclaw/dist/entry.js","filePathWithLine":".npm-global/lib/node_modules/openclaw/dist/entry.js:2071","method":"console.error"}},"time":"2026-02-20T11:15:50.374Z"}
{"0":"gateway connect failed: Error: pairing required","_meta":{"runtime":"node","runtimeVersion":"22.22.0","hostname":"Host-004","name":"openclaw","date":"2026-02-20T11:15:50.378Z","logLevelId":5,"logLevelName":"ERROR","path":{"fullFilePath":"file:///home/fedora/.npm-global/lib/node_modules/openclaw/dist/exec-CBKBIMpA.js:42:14","fileName":"exec-CBKBIMpA.js","fileNameWithLine":"exec-CBKBIMpA.js:42","fileColumn":"14","fileLine":"42","filePath":".npm-global/lib/node_modules/openclaw/dist/exec-CBKBIMpA.js","filePathWithLine":".npm-global/lib/node_modules/openclaw/dist/exec-CBKBIMpA.js:42","method":"logError"}},"time":"2026-02-20T11:15:50.379Z"}
{"0":" \u001b[31mgateway closed (1008): pairing required\u001b[39m","_meta":{"runtime":"node","runtimeVersion":"22.22.0","hostname":"Host-004","name":"openclaw","date":"2026-02-20T11:15:50.420Z","logLevelId":5,"logLevelName":"ERROR","path"...

How to set gateway.bind: "lan" ?

gateway.bind is just a mode switch — OpenClaw can’t “bind to RFC1918 only (A/B/C)” directly. The options are basically loopback / lan / tailnet / custom, and if you want “private-only” you do that with your firewall, not the bind setting.

Set gateway.bind: "lan"

This edits ~/.openclaw/openclaw.json (no gateway connection needed):

openclaw config set gateway.bind lan
openclaw gateway restart

Verify it’s listening on all interfaces:

ss -ltnp | grep 18789

Important: LAN bind requires auth + you’ll still see pairing

• When you bind to LAN, you must have gateway auth configured (token or password), otherwise the gateway will refuse to bind non-loopback.
• Remote browsers/devices will still need device pairing approval (that’s separate from bind/auth).

If you’re not sure you have a token yet, generate one:

openclaw doctor --generate-gateway-token
openclaw gateway restart

(Do not paste the token into Discord.)

If your goal is “access Control UI from another machine”

Be aware: opening http://<lan-ip>:18789/ is not a secure context, so the Control UI can fail unless you use HTTPS (recommended) or explicitly allow insecure auth.

Recommended: Tailscale Serve (HTTPS): https://docs.openclaw.ai/gateway/tailscale

Temporary “make it work over plain HTTP” (security downgrade):

openclaw config set gateway.controlUi.allowInsecureAuth true
openclaw gateway restart

If you tell me whether you’re trying to access the UI from (a) the same Fedora box, or (b) another machine on LAN, I can tell you the safest/cleanest setup for that.

still not working :

openclaw status

🦞 OpenClaw 2026.2.19-2 (45d9b20) — OpenAI-compatible, not OpenAI-dependent.

│
◇
[openclaw] Failed to start CLI: Error: SECURITY ERROR: Gateway URL "ws://192.168.1.11:18789" uses plaintext ws:// to a non-loopback address.
Both credentials and chat data would be exposed to network interception.
Source: local lan 192.168.1.11
Config: /home/fedora/.openclaw/openclaw.json
Fix: Use wss:// for the gateway URL, or connect via SSH tunnel to localhost.
at buildGatewayConnectionDetails (file:///home/fedora/.npm-global/lib/node_modules/openclaw/dist/call-DZzTR0NL.js:312:40)
at file:///home/fedora/.npm-global/lib/node_modules/openclaw/dist/status-CuCaWzfB.js:1537:29
at async withProgress (file:///home/fedora/.npm-global/lib/node_modules/openclaw/dist/progress-Clpi3Ckj.js:116:10)
at async scanStatus (file:///home/fedora/.npm-global/lib/node_modules/openclaw/dist/status-CuCaWzfB.js:1509:9)
at async statusCommand (file:///home/fedora/.npm-global/lib/node_modules/openclaw/dist/status-CuCaWzfB.js:1622:249)
at async Object.run (file:///home/fedora/.npm-global/lib/node_modules/openclaw/dist/run-main-ymxgIjRa.js:139:3)
at async runCli (file:///home/fedora/.npm-global/lib/node_modules/openclaw/dist/run-main-ymxgIjRa.js:377:6)

That error is expected once you switch to gateway.bind: "lan":

SECURITY ERROR: URL is ws://192.168.1.11:18789 (plaintext) to a non-loopback address

OpenClaw intentionally refuses to send tokens/chat over unencrypted ws:// to a LAN IP (MITM risk). So binding to LAN without TLS will make the CLI unhappy.

Do this instead (recommended)

A) Keep the gateway loopback-only + use an SSH tunnel for remote access

On the Fedora gateway host:

openclaw config set gateway.bind loopback
openclaw gateway restart

From your other machine (the one you want to use the UI from):

ssh -N -L 18789:127.0.0.1:18789 fedora@192.168.1.11

Then open in your browser on the other machine:

• http://127.0.0.1:18789/

Docs: https://docs.openclaw.ai/gateway/remote#ssh-tunnel-cli--tools

B) If you just want CLI to work on the Fedora box right now

Force it to use loopback (even if you keep bind=lan):

openclaw status --url ws://127.0.0.1:18789
openclaw devices list --url ws://127.0.0.1:18789

Quick check (this usually explains the original “pairing required” loop)

Please paste:

openclaw config get gateway.bind
openclaw config get gateway.mode
env | egrep -i 'OPENCLAW_URL|CLAWDBOT_URL'

If you had OPENCLAW_URL=ws://Host-004:18789 (hostname), the gateway treats that as non-local even if it resolves to 127.0.0.1 → then you get the “pairing required” loop. Unsetting that fixes it.

[fedora@Host-004 ~]$ openclaw config get gateway.bind

🦞 OpenClaw 2026.2.19-2 (45d9b20) — Because Siri wasn't answering at 3AM.

loopback
[fedora@Host-004 ~]$ openclaw config get gateway.mode

🦞 OpenClaw 2026.2.19-2 (45d9b20) — Ah, the fruit tree company! 🍎

local
[fedora@Host-004 ~]$ env | eg

That error is a security guardrail in the CLI:

• ws://192.168.1.11:18789 = plaintext WebSocket to a non-loopback IP
• OpenClaw refuses because it would expose tokens/chat to anyone on the LAN who can sniff traffic.

So: don’t try to use ws://LAN-IP. Either connect via localhost (SSH tunnel if remote), or enable TLS so it becomes wss://.

1) First: force localhost and see if everything works

Run this on the Fedora box:

openclaw status --url ws://127.0.0.1:18789
openclaw devices list --url ws://127.0.0.1:18789

If that works, then something is making your default openclaw status pick the LAN IP. Two common causes: an env var or a shell alias.

Please paste:

env | egrep -i 'OPENCLAW_URL|CLAWDBOT_URL|OPENCLAW_CONFIG_PATH|OPENCLAW_STATE_DIR|OPENCLAW_GATEWAY_BIND|CLAWDBOT_GATEWAY_BIND'
type openclaw
alias | grep -i openclaw || true

2) If you actually want LAN access (advanced): enable TLS (wss://)

This is the minimal config to make LAN binding + CLI happy:

openclaw config set gateway.bind lan
openclaw config set gateway.tls.enabled true --json
openclaw config set gateway.tls.autoGenerate true --json
openclaw gateway restart