Skill

SkillsSoftware Development › Backend & APIs

node-connect

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps. Use when QR/setup code/manual connect fails, local Wi-Fi works but VPS/tailnet does not, or errors mention pairing required, unauthorized, bootstrap token invalid or expired, gateway.bind, gateway.remote.url, Tailscale, or plugins.entries.device-pair.config.publicUrl.

Freerisk: medium
connect

The full skill

— name: node-connect description: Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps. Use when QR/setup code/manual connect fails, local Wi-Fi works but VPS/tailnet does not, or errors mention pairing required, unauthorized, bootstrap token invalid or expired, gateway.bind, gateway.remote.url, Tailscale, or plugins.entries.device-pair.config.publicUrl. — # Node Connect Goal: find the one real route from node -> gateway, verify OpenClaw is advertising that route, then fix pairing/auth. ## Topology first Decide which case you are in before proposing fixes: – same machine / emulator / USB tunnel – same LAN / local Wi-Fi – same Tailscale tailnet – public URL / reverse proxy Do not mix them. – Local Wi-Fi problem: do not switch to Tailscale unless remote access is actually needed. – VPS / remote gateway problem: do not keep debugging `localhost` or LAN IPs. ## If ambiguous, ask first If the setup is unclear or the failure report is vague, ask short clarifying questions before diagnosing. Ask for: – which route they intend: same machine, same LAN, Tailscale tailnet, or public URL – whether they used QR/setup code or manual host/port – the exact app text/status/error, quoted exactly if possible – whether `openclaw devices list` shows a pending pairing request Do not guess from `can't connect`. ## Canonical checks Prefer `openclaw qr –json`. It uses the same setup-code payload Android scans. “`bash openclaw config get gateway.mode openclaw config get gateway.bind openclaw config get gateway.tailscale.mode openclaw config get gateway.remote.url openclaw config get gateway.auth.mode openclaw config get gateway.auth.allowTailscale openclaw config get plugins.entries.device-pair.config.publicUrl openclaw qr –json openclaw devices list openclaw nodes status “` If this OpenClaw instance is pointed at a remote gateway, also run: “`bash openclaw qr –remote –json “` If Tailscale is part of the story: “`bash tailscale status –json “` ## Read the result, not guesses `openclaw qr –json` success means: – `gatewayUrl`: this is the actual endpoint the app should use. – `urlSource`: this tells you which config path won. Common good sources: – `gateway.bind=lan`: same Wi-Fi / LAN only – `gateway.bind=tailnet`: direct tailnet access – `gateway.tailscale.mode=serve` or `gateway.tailscale.mode=funnel`: Tailscale route – `plugins.entries.device-pair.config.publicUrl`: explicit public/reverse-proxy route – `gateway.remote.url`: remote gateway route ## Root-cause map If `openclaw qr –json` says `Gateway is only bound to loopback`: – remote node cannot connect yet – fix the route, then generate a fresh setup code – `gateway.bind=auto` is not enough if the effective QR route is still loopback – same LAN: use `gateway.bind=lan` – same tailnet: prefer `gateway.tailscale.mode=serve` or use `gateway.bind=tailnet` – public internet: set a real `plugins.entries.device-pair.config.publicUrl` or `gateway.remote.url` If `gateway.bind=tailnet set, but no tailnet IP was found`: – gateway host is not actually on Tailscale If `qr –remote requires gateway.remote.url`: – remote-mode config is incomplete If the app says `pairing required`: – network route and auth worked – approve the pending device “`bash openclaw devices list openclaw devices approve –latest “` If the app says `bootstrap token invalid or expired`: – old setup code – generate a fresh one and rescan – do this after any URL/auth fix too If the app says `unauthorized`: – wrong token/password, or wrong Tailscale expectation – for Tailscale Serve, `gateway.auth.allowTailscale` must match the intended flow – otherwise use explicit token/password ## Fast heuristics – Same Wi-Fi setup + gateway advertises `127.0.0.1`, `localhost`, or loopback-only config: wrong. – Remote setup + setup/manual uses private LAN IP: wrong. – Tailnet setup + gateway advertises LAN IP instead of MagicDNS / tailnet route: wrong. – Public URL set but QR still advertises something else: inspect `urlSource`; config is not what you think. – `openclaw devices list` shows pending requests: stop changing network config and approve first. ## Fix style Reply with one concrete diagnosis and one route. If there is not enough signal yet, ask for setup + exact app text instead of guessing. Good: – `The gateway is still loopback-only, so a node on another network can never reach it. Enable Tailscale Serve, restart the gateway, run openclaw qr again, rescan, then approve the pending device pairing.` Bad: – `Maybe LAN, maybe Tailscale, maybe port forwarding, maybe public URL.`