Description

When using a VPN in TUN mode (e.g., ShadowRocket on macOS), the system DNS is hijacked to 198.18.0.2, which returns fake IPs in the 198.18.x.x range for all domain lookups.

The web_fetch tool fails with:

Blocked: resolves to private/internal/special-use IP address

This happens because OpenClaw has SSRF protection that blocks special-use IP addresses (including 198.18.x.x benchmark range), and this check happens before the request goes through the HTTP_PROXY.

Steps to reproduce

1. Set up a VPN client in TUN mode that hijacks DNS
2. Configure HTTP_PROXY/HTTPS_PROXY in OpenClaw config
3. Try to use web_fetch tool

Expected behavior

web_fetch should work when HTTP_PROXY is configured.

Workaround

• curl works fine through the same proxy
• The issue is specifically in OpenClaw SSRF protection checking the resolved IP before using the proxy

Possible solutions

1. Add DNS resolver config option (e.g., --dns-resolver=8.8.8.8)
2. Make SSRF protection smarter when HTTP_PROXY is configured - skip IP check when using proxy
3. Allow configuring which IP ranges to block

Environment

• OpenClaw: v2026.3.2
• macOS
• VPN: ShadowRocket TUN mode