#browser can't access tailscale addresses

1 messages · Page 1 of 1 (latest)

topaz orbit
#

the browser is getting blocked, despite having allowedhostnames set in the config, and the agent is reporting this error:
"he SSRF check passed the hostname allowlist, but now it wants an IP literal because it can't verify DNS for the browser."

here's my config

  "browser": {
    "enabled": true,
    "headless": true,
    "defaultProfile": "openclaw",
    "ssrfPolicy": {
      "dangerouslyAllowPrivateNetwork": false,
      "allowedHostnames": ["localhost", "magicdnshostname.tailscale-network.ts.net"]
    },
    "profiles": {
      "user": {
        "driver": "existing-session",
        "attachOnly": true,
        "color": "#00AA00"
      }
    },
    "executablePath": "/usr/bin/chromium",
    "noSandbox": true
  },
warm wharfBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> ✅ Mark Solution

topaz orbit
#

would love an answer to this

lofty troutBOT
#

I’d try this config shape:

"ssrfPolicy": {
  "dangerouslyAllowPrivateNetwork": false,
  "allowedHostnames": [
    "localhost",
    "magicdnshostname.tailscale-network.ts.net"
  ],
  "hostnameAllowlist": [
    "localhost",
    "magicdnshostname.tailscale-network.ts.net"
  ]
}

Key bit: allowedHostnames is exact-match private-network bypass, while hostnameAllowlist is the browser strict-mode hostname gate. For Tailscale/MagicDNS, I’d put the exact host in both.

#

If you want to allow many tailnet hosts, use:

"ssrfPolicy": {
  "dangerouslyAllowPrivateNetwork": true,
  "hostnameAllowlist": ["*.tailscale-network.ts.net"]
}

…but only do that if you trust that tailnet, since it intentionally relaxes private-network browser access.

Also: please paste openclaw --version if this still fails — this area changed recently, and version mismatch could explain why allowedHostnames alone isn’t behaving as expected.

Docs: https://docs.openclaw.ai/tools/browser

topaz orbit
#

the version is 2026.4.15

i am referencing the docs, but the browser is still getting blocked

lofty troutBOT
#

Ah, the version matters here. 2026.4.15 is right in the browser SSRF hardening window, and the docs you’re reading are for current behavior.

I’d update first — npm latest is 2026.4.26 right now — then restart the gateway:

pnpm add -g openclaw@latest
openclaw gateway restart
openclaw --version

For Tailscale, keep the distinction in mind:

  • hostnameAllowlist: hostname is allowed by name/pattern
  • allowedHostnames: exact hostname is allowed to resolve to private/special IPs
  • dangerouslyAllowPrivateNetwork: true: broad private-network opt-in

For one exact MagicDNS host, use both: