Problem

When running OpenClaw behind a TUN-mode proxy (e.g., Clash TUN), DNS returns virtual IPs in the 198.18.0.0/15 range (RFC 2544). OpenClaw's SSRF protection blocks these as private/special-use addresses, which breaks media downloads from Telegram (and potentially other providers).

Log:

[security] blocked URL fetch (url-fetch) target=https://api.telegram.org/file/bot.../file.jpg reason=Blocked: resolves to private/internal/special-use IP address

User sees: ⚠️ Failed to download media. Please try again.

Current behavior

Media download SSRF policy is hardcoded with no config override:

policy: { allowPrivateNetwork: false }

The browser section already supports ssrfPolicy, but there is no equivalent for channel media downloads.

Proposed solution

Extend ssrfPolicy to channel/media level:

{
  // Global or per-channel
  channels: {
    telegram: {
      ssrfPolicy: {
        allowedHostnames: ["api.telegram.org"]
      }
    }
  }
}

This lets users behind TUN proxies whitelist known-safe provider hostnames without disabling SSRF protection entirely.

Environment

• OpenClaw 2026.2.22-2
• WSL2 behind Clash TUN mode
• DNS 10.255.255.254 → api.telegram.org resolves to 198.18.0.120 (Clash virtual IP)