WSL2 + Windows + remote Chrome CDP troubleshooting
This guide covers the common split-host setup where:
- OpenClaw Gateway runs inside WSL2
- Chrome runs on Windows
- browser control must cross the WSL2/Windows boundary
It also covers the layered failure pattern from issue #39369: several independent problems can show up at once, which makes the wrong layer look broken first.
Choose the right browser mode first
You have two valid patterns:
Option 1: Raw remote CDP from WSL2 to Windows
Use a remote browser profile that points from WSL2 to a Windows Chrome CDP endpoint.
Choose this when:
- the Gateway stays inside WSL2
- Chrome runs on Windows
- you need browser control to cross the WSL2/Windows boundary
Option 2: Host-local Chrome MCP
Use existing-session / user only when the Gateway itself runs on the same host as Chrome.
Choose this when:
- OpenClaw and Chrome are on the same machine
- you want the local signed-in browser state
- you do not need cross-host browser transport
For WSL2 Gateway + Windows Chrome, prefer raw remote CDP. Chrome MCP is host-local, not a WSL2-to-Windows bridge.
Working architecture
Reference shape:
- WSL2 runs the Gateway on
127.0.0.1:18789
- Windows opens the Control UI in a normal browser at
http://127.0.0.1:18789/
- Windows Chrome exposes a CDP endpoint on port
9222
- WSL2 can reach that Windows CDP endpoint
- OpenClaw points a browser profile at the address that is reachable from WSL2
Why this setup is confusing
Several failures can overlap:
- WSL2 cannot reach the Windows CDP endpoint
- the Control UI is opened from a non-secure origin
gateway.controlUi.allowedOrigins does not match the page origin- token or pairing is missing
- the browser profile points at the wrong address
Because of that, fixing one layer can still leave a different error visible.
Critical rule for the Control UI
When the UI is opened from Windows, use Windows localhost unless you have a deliberate HTTPS setup.
Use:
http://127.0.0.1:18789/
Do not default to a LAN IP for the Control UI. Plain HTTP on a LAN or tailnet address can trigger insecure-origin/device-auth behavior that is unrelated to CDP itself. See Control UI.
Validate in layers
Work top to bottom. Do not skip ahead.
Layer 1: Verify Chrome is serving CDP on Windows
Start Chrome on Windows with remote debugging enabled:
chrome.exe --remote-debugging-port=9222
curl http://127.0.0.1:9222/json/version
curl http://127.0.0.1:9222/json/list
Layer 2: Verify WSL2 can reach that Windows endpoint
From WSL2, test the exact address you plan to use in cdpUrl:
curl http://WINDOWS_HOST_OR_IP:9222/json/version
curl http://WINDOWS_HOST_OR_IP:9222/json/list
/json/version returns JSON with Browser / Protocol-Version metadata/json/list returns JSON (empty array is fine if no pages are open)
If this fails:
- Windows is not exposing the port to WSL2 yet
- the address is wrong for the WSL2 side
- firewall / port forwarding / local proxying is still missing
Fix that before touching OpenClaw config.
For raw remote CDP, point OpenClaw at the address that is reachable from WSL2:
{
browser: {
enabled: true,
defaultProfile: "remote",
profiles: {
remote: {
cdpUrl: "http://WINDOWS_HOST_OR_IP:9222",
attachOnly: true,
color: "#00AA00",
},
},
},
}
- use the WSL2-reachable address, not whatever only works on Windows
- keep
attachOnly: true for externally managed browsers
- test the same URL with
curl before expecting OpenClaw to succeed
Layer 4: Verify the Control UI layer separately
Open the UI from Windows:
http://127.0.0.1:18789/
Then verify:
- the page origin matches what
gateway.controlUi.allowedOrigins expects
- token auth or pairing is configured correctly
- you are not debugging a Control UI auth problem as if it were a browser problem
Helpful page:
Layer 5: Verify end-to-end browser control
From WSL2:
openclaw browser open https://example.com --browser-profile remote
openclaw browser tabs --browser-profile remote
- the tab opens in Windows Chrome
openclaw browser tabs returns the target- later actions (
snapshot, screenshot, navigate) work from the same profile
Common misleading errors
Treat each message as a layer-specific clue:
control-ui-insecure-auth
- UI origin / secure-context problem, not a CDP transport problem
token_missing
- auth configuration problem
pairing required
Remote CDP for profile "remote" is not reachable
- WSL2 cannot reach the configured
cdpUrl
gateway timeout after 1500ms
- often still CDP reachability or a slow/unreachable remote endpoint
No Chrome tabs found for profile="user"
- local Chrome MCP profile selected where no host-local tabs are available
Fast triage checklist
- Windows: does
curl http://127.0.0.1:9222/json/version work?
- WSL2: does
curl http://WINDOWS_HOST_OR_IP:9222/json/version work?
- OpenClaw config: does
browser.profiles.<name>.cdpUrl use that exact WSL2-reachable address?
- Control UI: are you opening
http://127.0.0.1:18789/ instead of a LAN IP?
- Are you trying to use
existing-session across WSL2 and Windows instead of raw remote CDP?
Practical takeaway
The setup is usually viable. The hard part is that browser transport, Control UI origin security, and token/pairing can each fail independently while looking similar from the user side.
When in doubt:
- verify the Windows Chrome endpoint locally first
- verify the same endpoint from WSL2 second
- only then debug OpenClaw config or Control UI auth
Last modified on March 22, 2026
