Remote access

This repo supports remote gateway access by keeping a single Gateway (the master) running on a dedicated host (desktop/server) and connecting clients to it.

For operators (you / the macOS app): direct LAN/Tailnet WebSocket is simplest when the gateway is reachable; SSH tunneling is the universal fallback.
For nodes (iOS/Android and future devices): connect to the Gateway WebSocket (LAN/tailnet or SSH tunnel as needed).

The core idea

The Gateway WebSocket usually binds to loopback on your configured port (defaults to 18789).
For remote use, expose it through Tailscale Serve or a trusted LAN/Tailnet bind, or forward the loopback port over SSH.

Common VPN and tailnet setups

Think of the Gateway host as where the agent lives. It owns sessions, auth profiles, channels, and state. Your laptop, desktop, and nodes connect to that host.

Always-on Gateway in your tailnet

Run the Gateway on a persistent host (VPS or home server) and reach it via Tailscale or SSH.

Best UX: keep gateway.bind: "loopback" and use Tailscale Serve for the Control UI.
Trusted LAN/Tailnet: bind the gateway to a private interface and connect directly with gateway.remote.transport: "direct".
Fallback: keep loopback plus SSH tunnel from any machine that needs access.
Examples: exe.dev (easy VM) or Hetzner (production VPS).

Ideal when your laptop sleeps often but you want the agent always-on.

Home desktop runs the Gateway

The laptop does not run the agent. It connects remotely:

Use the macOS app’s remote mode (Settings → General → OpenClaw runs).
The app connects directly when the gateway is reachable on LAN/Tailnet, or opens and manages an SSH tunnel when you choose SSH.

Runbook: macOS remote access.

Laptop runs the Gateway

Keep the Gateway local but expose it safely:

SSH tunnel to the laptop from other machines, or
Tailscale Serve the Control UI and keep the Gateway loopback-only.

Guides: Tailscale and Web overview.

Command flow (what runs where)

One gateway service owns state + channels. Nodes are peripherals. Flow example (Telegram → node):

Telegram message arrives at the Gateway.
Gateway runs the agent and decides whether to call a node tool.
Gateway calls the node over the Gateway WebSocket (node.* RPC).
Node returns the result; Gateway replies back out to Telegram.

Notes:

Nodes do not run the gateway service. Only one gateway should run per host unless you intentionally run isolated profiles (see Multiple gateways).
macOS app “node mode” is just a node client over the Gateway WebSocket.

SSH tunnel (CLI + tools)

Create a local tunnel to the remote Gateway WS:

ssh -N -L 18789:127.0.0.1:18789 user@host

With the tunnel up:

openclaw health and openclaw status --deep now reach the remote gateway via ws://127.0.0.1:18789.
openclaw gateway status, openclaw gateway health, openclaw gateway probe, and openclaw gateway call can also target the forwarded URL via --url when needed.

Replace 18789 with your configured gateway.port (or --port or OPENCLAW_GATEWAY_PORT).

When you pass --url, the CLI does not fall back to config or environment credentials. Include --token or --password explicitly. Missing explicit credentials is an error.

CLI remote defaults

You can persist a remote target so CLI commands use it by default:

{
  gateway: {
    mode: "remote",
    remote: {
      url: "ws://127.0.0.1:18789",
      token: "your-token",
    },
  },
}

When the gateway is loopback-only, keep the URL at ws://127.0.0.1:18789 and open the SSH tunnel first. In the macOS app’s SSH tunnel transport, discovered gateway hostnames belong in gateway.remote.sshTarget; gateway.remote.url remains the local tunnel URL. If those ports differ, set gateway.remote.remotePort to the gateway port on the SSH host. For a gateway already reachable on a trusted LAN or Tailnet, use direct mode:

{
  gateway: {
    mode: "remote",
    remote: {
      transport: "direct",
      url: "ws://192.168.0.202:18789",
      token: "your-token",
    },
  },
}

Credential precedence

Gateway credential resolution follows one shared contract across call/probe/status paths and Discord exec-approval monitoring. Node-host uses the same base contract with one local-mode exception (it intentionally ignores gateway.remote.*):

Explicit credentials (--token, --password, or tool gatewayToken) always win on call paths that accept explicit auth.
URL override safety:
- CLI URL overrides (--url) never reuse implicit config/env credentials.
- Env URL overrides (OPENCLAW_GATEWAY_URL) may use env credentials only (OPENCLAW_GATEWAY_TOKEN / OPENCLAW_GATEWAY_PASSWORD).
Local mode defaults:
- token: OPENCLAW_GATEWAY_TOKEN -> gateway.auth.token -> gateway.remote.token (remote fallback applies only when local auth token input is unset)
- password: OPENCLAW_GATEWAY_PASSWORD -> gateway.auth.password -> gateway.remote.password (remote fallback applies only when local auth password input is unset)
Remote mode defaults:
- token: gateway.remote.token -> OPENCLAW_GATEWAY_TOKEN -> gateway.auth.token
- password: OPENCLAW_GATEWAY_PASSWORD -> gateway.remote.password -> gateway.auth.password
Node-host local-mode exception: gateway.remote.token / gateway.remote.password are ignored.
Remote probe/status token checks are strict by default: they use gateway.remote.token only (no local token fallback) when targeting remote mode.
Gateway env overrides use OPENCLAW_GATEWAY_* only.

Chat UI remote access

WebChat no longer uses a separate HTTP port. The SwiftUI chat UI connects directly to the Gateway WebSocket.

Forward 18789 over SSH (see above), then connect clients to ws://127.0.0.1:18789.
For LAN/Tailnet direct mode, connect clients to the configured private ws:// or secure wss:// URL.
On macOS, prefer the app’s remote mode, which manages the selected transport automatically.

macOS app remote mode

The macOS menu bar app can drive the same setup end-to-end (remote status checks, WebChat, and Voice Wake forwarding). Runbook: macOS remote access.

Security rules (remote/VPN)

Short version: keep the Gateway loopback-only unless you’re sure you need a bind.

Loopback + SSH/Tailscale Serve is the safest default (no public exposure).
Plaintext ws:// is accepted for loopback, LAN, link-local, .local, .ts.net, and Tailscale CGNAT hosts. Public remote hosts must use wss://.
Non-loopback binds (lan/tailnet/custom, or auto when loopback is unavailable) must use gateway auth: token, password, or an identity-aware reverse proxy with gateway.auth.mode: "trusted-proxy".
gateway.remote.token / .password are client credential sources. They do not configure server auth by themselves.
Local call paths can use gateway.remote.* as fallback only when gateway.auth.* is unset.
If gateway.auth.token / gateway.auth.password is explicitly configured via SecretRef and unresolved, resolution fails closed (no remote fallback masking).
gateway.remote.tlsFingerprint pins the remote TLS cert when using wss://, including macOS direct mode. Without a configured or previously stored pin, macOS only pins a first-use certificate after normal system trust passes; self-signed or private-CA gateways that macOS does not already trust need an explicit fingerprint or Remote over SSH.
Tailscale Serve can authenticate Control UI/WebSocket traffic via identity headers when gateway.auth.allowTailscale: true; HTTP API endpoints do not use that Tailscale header auth and instead follow the gateway’s normal HTTP auth mode. This tokenless flow assumes the gateway host is trusted. Set it to false if you want shared-secret auth everywhere.
Trusted-proxy auth expects non-loopback identity-aware proxy setups by default. Same-host loopback reverse proxies require explicit gateway.auth.trustedProxy.allowLoopback = true.
Treat browser control like operator access: tailnet-only + deliberate node pairing.

Deep dive: Security.

macOS: persistent SSH tunnel via LaunchAgent

For macOS clients connecting to a remote gateway, the easiest persistent setup uses an SSH LocalForward config entry plus a LaunchAgent to keep the tunnel alive across reboots and crashes.

Step 1: add SSH config

Edit ~/.ssh/config:

Host remote-gateway
    HostName <REMOTE_IP>
    User <REMOTE_USER>
    LocalForward 18789 127.0.0.1:18789
    IdentityFile ~/.ssh/id_rsa

Replace <REMOTE_IP> and <REMOTE_USER> with your values.

Step 2: copy SSH key (one-time)

ssh-copy-id -i ~/.ssh/id_rsa <REMOTE_USER>@<REMOTE_IP>

Step 3: configure the gateway token

Store the token in config so it persists across restarts:

openclaw config set gateway.remote.token "<your-token>"

Step 4: create the LaunchAgent

Save this as ~/Library/LaunchAgents/ai.openclaw.ssh-tunnel.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>ai.openclaw.ssh-tunnel</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/ssh</string>
        <string>-N</string>
        <string>remote-gateway</string>
    </array>
    <key>KeepAlive</key>
    <true/>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

Step 5: load the LaunchAgent

launchctl bootstrap gui/$UID ~/Library/LaunchAgents/ai.openclaw.ssh-tunnel.plist

The tunnel will start automatically at login, restart on crash, and keep the forwarded port live.

If you have a leftover com.openclaw.ssh-tunnel LaunchAgent from an older setup, unload and delete it.

Troubleshooting

Check if the tunnel is running:

ps aux | grep "ssh -N remote-gateway" | grep -v grep
lsof -i :18789

Restart the tunnel:

launchctl kickstart -k gui/$UID/ai.openclaw.ssh-tunnel

Stop the tunnel:

launchctl bootout gui/$UID/ai.openclaw.ssh-tunnel

Config entry	What it does
`LocalForward 18789 127.0.0.1:18789`	Forwards local port 18789 to remote port 18789
`ssh -N`	SSH without executing remote commands (port-forwarding only)
`KeepAlive`	Automatically restarts the tunnel if it crashes
`RunAtLoad`	Starts the tunnel when the LaunchAgent loads at login

Gateway

Security

Nodes and media

Web interfaces

Remote access

The core idea

Common VPN and tailnet setups

Always-on Gateway in your tailnet

Home desktop runs the Gateway

Laptop runs the Gateway

Command flow (what runs where)

SSH tunnel (CLI + tools)

CLI remote defaults

Credential precedence

Chat UI remote access

macOS app remote mode

Security rules (remote/VPN)

macOS: persistent SSH tunnel via LaunchAgent

Step 1: add SSH config

Step 2: copy SSH key (one-time)

Step 3: configure the gateway token

Step 4: create the LaunchAgent

Step 5: load the LaunchAgent

Troubleshooting

Gateway

Remote access

Security

Nodes and media

Web interfaces

Documentation Index

​The core idea

​Common VPN and tailnet setups

​Always-on Gateway in your tailnet

​Home desktop runs the Gateway

​Laptop runs the Gateway

​Command flow (what runs where)

​SSH tunnel (CLI + tools)

​CLI remote defaults

​Credential precedence

​Chat UI remote access

​macOS app remote mode

​Security rules (remote/VPN)

​macOS: persistent SSH tunnel via LaunchAgent

​Step 1: add SSH config

​Step 2: copy SSH key (one-time)

​Step 3: configure the gateway token

​Step 4: create the LaunchAgent

​Step 5: load the LaunchAgent

​Troubleshooting

​Related

The core idea

Common VPN and tailnet setups

Always-on Gateway in your tailnet

Home desktop runs the Gateway

Laptop runs the Gateway

Command flow (what runs where)

SSH tunnel (CLI + tools)

CLI remote defaults

Credential precedence

Chat UI remote access

macOS app remote mode

Security rules (remote/VPN)

macOS: persistent SSH tunnel via LaunchAgent

Step 1: add SSH config

Step 2: copy SSH key (one-time)

Step 3: configure the gateway token

Step 4: create the LaunchAgent

Step 5: load the LaunchAgent

Troubleshooting

Related