Using microvm.nix to sandbox Openclaw
My initial instinct was to go full near-airgap: remove the default route, run an SNI-based TLS proxy on the host, and only allow traffic to
api.telegram.organdopenrouter.ai.I built this with unbound returning fake DNS records pointing at the host bridge IP, nginx stream with
ssl_prereaddoing SNI-based forwarding, nftables dropping everything in the FORWARD chain.It worked, technically. But it was brittle. The proxy needed careful handling of dynamic IPs, and Openclaw’s error messages when DNS returned unexpected results were… unhelpful.
For this demo, I just said screw it and allowed everything (with a log). The VM has full internet access, but every DNS query and every new connection is visible from the host.
Continuing on my research around microvm, I discovered microvm.nix and yet another way of monitoring and/or locking down networking for vms that will be used by agents.