red stratus
Setup: Gateway on Hetzner VPS (Ubuntu 24.04, Docker), Mac node via npm. Both on same Tailscale tailnet. Telegram working via Cloudflare webhooks.
Tried:
SSH tunnel β socket hang up, gateway never logs the attempt
Cloudflare Tunnel (ws://127.0.0.1:18789) β connection reset by peer
Direct Tailscale IP β SECURITY ERROR: plaintext ws:// (client-side check blocks it)
MagicDNS hostname β security check passes but ECONNREFUSED β traced to Docker + Tailscale iptables conflict in ts-forward chain
OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1 β ignored, security check still fires
--tls flag β ignored, security check fires before TLS applied (see #33118)
Key issue: Client-side security check blocks all non-loopback ws:// connections regardless of --tls or OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1. Gateway never logs failed node attempts.
gateway.bind currently set to tailnet, Docker binding to 0.0.0.0:18789.
What's the working method for Mac node β remote Docker gateway on 2026.5.4? Is there a Tailscale config that avoids the Docker iptables conflict, or a workaround for the --tls regression?