Skip to content

feat: Add Netbird VPN support and fix Tailscale auto-connect#43

Open
zgv163 wants to merge 2 commits into
openclaw:mainfrom
zgv163:feature/vpn-provider-netbird-support
Open

feat: Add Netbird VPN support and fix Tailscale auto-connect#43
zgv163 wants to merge 2 commits into
openclaw:mainfrom
zgv163:feature/vpn-provider-netbird-support

Conversation

@zgv163

@zgv163 zgv163 commented Mar 13, 2026

Copy link
Copy Markdown

Summary

  • Add Netbird VPN as an alternative to Tailscale, selectable via vpn_provider variable ("tailscale", "netbird", or "")
  • Fix Tailscale auto-connect — the tailscale_authkey variable was defined and documented but never used in any task. Now it auto-connects with no_log: true for credential protection
  • Add Netbird auto-connect with setup key and optional netbird_management_url for self-hosted instances
  • Convert sudoers to Jinja2 template with conditional VPN permissions based on provider

Changes

New files

  • roles/openclaw/tasks/netbird-linux.yml — Netbird installation, service setup, auto-connect
  • roles/openclaw/templates/sudoers-openclaw.j2 — Templated sudoers with conditional VPN perms

Modified files

  • roles/openclaw/defaults/main.yml — New vpn_provider, netbird_setup_key, netbird_management_url variables
  • roles/openclaw/tasks/main.yml — VPN provider routing
  • roles/openclaw/tasks/tailscale-linux.yml — Added auto-connect task
  • roles/openclaw/tasks/firewall-linux.yml — Added Netbird UDP 51820 rule
  • roles/openclaw/tasks/user.yml — Switched from inline copy to template
  • Templates, playbooks, inventory sample, and all docs updated

Test plan

  • YAML syntax validation (all files pass)
  • ansible-playbook --syntax-check passes
  • E2E tested on Ubuntu 24.04 server with self-hosted Netbird
  • Netbird auto-connect with setup key verified (connected, 2/3 peers)
  • Sudoers template renders correctly (Netbird commands present, no Tailscale)
  • UFW firewall rule for 51820/udp added
  • Existing Docker tests unaffected (vpn_provider defaults to "")

Replace tailscale_enabled with vpn_provider variable supporting
"tailscale", "netbird", or "" (disabled). Add Netbird installation
tasks with auto-connect via setup key and optional self-hosted
management URL. Fix the unused tailscale_authkey by implementing
the auto-connect task with no_log for credential protection.

Convert inline sudoers to a Jinja2 template with conditional VPN
permissions based on the selected provider.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a538f634d3

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread roles/openclaw/tasks/netbird-linux.yml
On minimal Debian/Ubuntu hosts, gnupg is not preinstalled. The Netbird
setup pipes the signing key through gpg --dearmor, which fails without
it. Add a prerequisite package install step matching the Docker task
pattern.
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. labels May 22, 2026
@clawsweeper

clawsweeper Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Keep open. The PR contains useful Netbird and Tailscale auth-key work that is not already on current main, but it is not merge-ready because it breaks the existing tailscale_enabled upgrade path and changes VPN/security boundaries without visible real-behavior proof.

Canonical path: Close this stale PR. The latest review rated it F, the branch still lacks merge-ready proof, and there has been no human follow-up after the durable review.

So I’m closing this here because the remaining work is already tracked in the canonical issue.

Review details

Best possible solution:

Close this stale PR. The latest review rated it F, the branch still lacks merge-ready proof, and there has been no human follow-up after the durable review.

Do we have a high-confidence way to reproduce the issue?

Yes for the Tailscale auth-key subproblem by source inspection: current main declares and documents tailscale_authkey but the Tailscale task only prints manual tailscale up instructions. Netbird support is a new capability, so reproduction is not applicable there.

Is this the best way to solve the issue?

No, not as currently shaped; the provider abstraction is plausible, but the branch needs to preserve or explicitly migrate tailscale_enabled and prove the new VPN/security boundary before merge.

Security review:

Security review needs attention: The diff changes VPN trust and service-user network-control boundaries, so it needs maintainer-visible proof and acceptance before merge.

  • [medium] Broadened VPN sudo scope needs boundary proof — roles/openclaw/templates/sudoers-openclaw.j2:36
    The new sudoers template grants passwordless Netbird control commands such as netbird up * and netbird routes *. That may be acceptable, but it expands the service user's privileged network-control surface and needs explicit maintainer acceptance with real-host proof.
    Confidence: 0.86
  • [medium] New Netbird package and setup-key path changes trust boundary — roles/openclaw/tasks/netbird-linux.yml:21
    The Netbird path adds a third-party apt repository and a setup-key connection command. The PR should show redacted live output proving package-source setup, connection state, firewall exposure, and secret handling behave as intended.
    Confidence: 0.84

AGENTS.md: found and applied where relevant.

What I checked:

  • stale F-rated PR: PR was opened 2026-03-13T09:15:47Z, is older than 60 days, and the latest review rated it F.
  • proof blocker: real behavior proof is missing and proof tier is F, so this branch is not merge-ready without contributor follow-up.
  • no human follow-up: live comments and timeline hydrated by apply contain no non-automation activity after the ClawSweeper review.

Likely related people:

  • justin-russell: History ties the existing tailscale_enabled selector and firewall/task gating to the Tailscale optional-support commit. (role: introduced optional Tailscale selector; confidence: high; commits: f9a8c9eb19d7; files: roles/openclaw/defaults/main.yml, roles/openclaw/tasks/main.yml, roles/openclaw/tasks/firewall-linux.yml)
  • sheeek: Blame shows the current Tailscale install, status check, and manual auth instructions originated in the OS-aware Tailscale setup commit. (role: introduced Tailscale Linux setup; confidence: high; commits: 6d3c52e24fc8; files: roles/openclaw/tasks/tailscale-linux.yml)
  • alauppe: Blame ties the scoped sudo permission model that this PR templates and extends to user-task security-hardening work. (role: scoped sudo and user-task contributor; confidence: high; commits: 65c272a5ca00, 1f6055461796; files: roles/openclaw/tasks/user.yml)

Codex review notes: model internal, reasoning high; reviewed against bc4d0a9be681.

@clawsweeper

clawsweeper Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?
  • The egg game starts only after the PR passes the real-behavior proof check.
  • Before that, no creature or rarity is rolled. The treat waits for real proof.
  • This is still just collectible flavor: proof affects review readiness, not creature quality.

@clawsweeper clawsweeper Bot added rating: 🌊 off-meta tidepool PR readiness rating does not apply to this item. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. rating: 🌊 off-meta tidepool PR readiness rating does not apply to this item. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. labels Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant