team-telnyx/telnyx-network
tools/network/SKILL.md
Private mesh networking and public IP exposure via Telnyx WireGuard infrastructure. Connect nodes securely or expose services to the internet.
$ install --global
skillsauthnpx skillsauth add team-telnyx/telnyx-toolkit telnyx-networkInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:45 PM1.8s1 file scanned
SKILL.md
- name:
- telnyx-network
- description:
- Private mesh networking and public IP exposure via Telnyx WireGuard infrastructure. Connect nodes securely or expose services to the internet.
- metadata:
- {"openclaw":{"emoji":"🌐","requires":{"bins":["wg"],"env":["TELNYX_API_KEY"]},"primaryEnv":"TELNYX_API_KEY"}}
Telnyx Network
Private mesh networking and public IP exposure via Telnyx WireGuard infrastructure.
Requirements
- Telnyx API Key — Get one free
- WireGuard installed on your machine
Agent Use (OpenClaw)
WireGuard requires elevated permissions to create network interfaces. For OpenClaw to manage your mesh autonomously, run this once:
sudo ./setup-sudoers.sh
This adds a sudoers rule allowing WireGuard commands without password prompts. After setup, your agent can:
# Agent can now do all of this without password prompts:
./setup.sh --region ashburn-va
./join.sh --name "my-node" --apply
./register.sh --name "my-node"
./teardown.sh
What it does:
- Adds
/etc/sudoers.d/wireguard-<username> - Only allows
wgandwg-quickcommands (not blanket sudo) - Can be removed anytime:
sudo rm /etc/sudoers.d/wireguard-*
Without this setup, the agent can still create networks and generate configs, but you'll need to manually run sudo wg-quick up <config> to connect.
Two Modes
Mesh Mode (Private)
Connect multiple machines in a private network. Like Tailscale, but on Telnyx infrastructure.
./setup.sh --region ashburn-va
./join.sh --name "laptop"
./join.sh --name "server" # run on server
# Now laptop and server can talk via 172.27.0.x
Cost: $10/month (WireGuard Gateway)
Expose Mode (Public)
Get a public IP and expose services to the internet.
./setup.sh --region ashburn-va
./join.sh --name "server" --apply
./add-public-ip.sh
./expose.sh 443
# Now https://64.16.x.x:443 reaches your server
Cost: $60/month (WireGuard Gateway + Internet Gateway)
Commands
| Command | Description |
|---------|-------------|
| sudo ./setup-sudoers.sh | Enable passwordless sudo for WireGuard (one-time, for agent use) |
| ./setup.sh --region <code> | Create network + WireGuard gateway |
| ./join.sh --name <name> | Add this machine to the mesh |
| ./peers.sh | List all connected peers |
| ./add-public-ip.sh | Add internet gateway (public IP) |
| ./expose.sh <port> | Open a port |
| ./unexpose.sh <port> | Close a port |
| ./status.sh | Show full status |
| ./teardown.sh | Delete everything |
| ./register.sh --name <name> | Register node in mesh registry |
| ./discover.sh | Discover other nodes on mesh |
| ./unregister.sh --name <name> | Remove node from registry |
Node Discovery
Nodes on the mesh can find each other using a registry stored in Telnyx Storage. This enables OpenClaw instances to automatically discover and communicate with each other.
Register This Node
After joining the mesh, register your node so others can find it:
./register.sh --name "home-server"
Discover Other Nodes
Find all registered nodes on the mesh:
./discover.sh
# Output:
# NAME IP HOSTNAME REGISTERED
# home-server 172.27.0.1 macbook.local 2026-01-31 ✅
# work-laptop 172.27.0.2 thinkpad 2026-01-31 ✅
# JSON output for scripts
./discover.sh --json
Unregister
Remove a node from the registry:
./unregister.sh --name "old-server"
Use Case: Multi-OpenClaw Communication
# On OpenClaw A
./join.sh --name "openclaw-a" --apply
./register.sh --name "openclaw-a"
# On OpenClaw B
./join.sh --name "openclaw-b" --apply
./register.sh --name "openclaw-b"
# Either can now discover the other
./discover.sh
# → Shows both openclaw-a and openclaw-b with their mesh IPs
# Direct communication works via mesh IPs
curl http://172.27.0.2:18789/health # OpenClaw B's gateway
This completes the "host-to-local node sessions" and "direct comms between OpenClaws" use cases.
Regions
| Region | Code | Location |
|--------|------|----------|
| US East | ashburn-va | Ashburn, VA |
| US Central | chicago-il | Chicago, IL |
| EU | frankfurt-de | Frankfurt, DE |
| EU | amsterdam-nl | Amsterdam, NL |
Get full list:
./setup.sh --region help
Safety
Blocked Ports (need --force)
- 22 (SSH)
- 23 (Telnet)
- 3306 (MySQL)
- 5432 (PostgreSQL)
- 6379 (Redis)
- 27017 (MongoDB)
Firewall
Only explicitly exposed ports accept traffic on the WireGuard interface. All other ports are blocked by default.
Configuration
All state is stored in config.json:
{
"network_id": "...",
"region": "ashburn-va",
"wireguard_gateway": {
"id": "...",
"endpoint": "64.16.x.x:5107",
"subnet": "172.27.0.1/24"
},
"internet_gateway": {
"id": "...",
"public_ip": "64.16.x.x"
},
"peers": [...],
"exposed_ports": [443, 80]
}
Use Cases
1. Connect OpenClaw Instances
# On main server
./setup.sh --region ashburn-va
./join.sh --name "openclaw-main" --apply
# On secondary server
./join.sh --name "openclaw-backup" --apply
# Now they can communicate securely
2. Expose Webhook Endpoint
./add-public-ip.sh
./expose.sh 443
# Configure your webhook URL as https://64.16.x.x/webhook
3. Multi-Region Mesh
./setup.sh --region ashburn-va
./join.sh --name "us-east-server"
# Same network, different region gateway
./setup.sh --region frankfurt-de --name same-network
./join.sh --name "eu-server"
Pricing
| Component | Monthly Cost | |-----------|--------------| | WireGuard Gateway | $10 | | Internet Gateway | $50 | | Peers | Free | | Traffic | Free (beta) |
Troubleshooting
"Gateway still provisioning"
Wait 5-10 minutes after setup for the gateway to be ready.
"Connection refused"
- Check WireGuard is running:
sudo wg show - Check port is exposed:
./status.sh - Check firewall:
sudo iptables -L -n
"Permission denied"
WireGuard requires root. Run with sudo or use --apply flag.
License
MIT
Related Skills
team-telnyx/telnyx-webrtc-client-react-native
tools
VerifiedTrustedCommunity
Build cross-platform VoIP calling apps with React Native using Telnyx Voice SDK. High-level reactive API with automatic lifecycle management, CallKit/ConnectionService integration, and push notifications. Use for mobile VoIP apps with minimal setup.
2SKILL.mdUpdated Apr 15, 2026
team-telnyx/telnyx-webrtc-client-js
tools
VerifiedTrustedCommunity
Build browser-based VoIP calling apps using Telnyx WebRTC JavaScript SDK. Covers authentication, voice calls, events, debugging, call quality metrics, and AI Agent integration. Use for web-based real-time communication.
2SKILL.mdUpdated Apr 15, 2026
team-telnyx/telnyx-webrtc-client-ios
tools
VerifiedTrustedCommunity
Build VoIP calling apps on iOS using Telnyx WebRTC SDK. Covers authentication, making/receiving calls, CallKit integration, PushKit/APNS push notifications, call quality metrics, and AI Agent integration. Use when implementing real-time voice communication on iOS.
2SKILL.mdUpdated Apr 15, 2026
team-telnyx/telnyx-webrtc-client-flutter
tools
VerifiedTrustedCommunity
Build cross-platform VoIP calling apps with Flutter using Telnyx WebRTC SDK. Covers authentication, making/receiving calls, push notifications (FCM + APNS), call quality metrics, and AI Agent integration. Works on Android, iOS, and Web.
2SKILL.mdUpdated Apr 15, 2026