Docs: clarify node host SSH tunnel flow

Co-authored-by: Dmytro Semchuk <x0m4ek@users.noreply.github.com>
2026-02-19 18:39:20 -05:00 · 2026-02-01 19:50:33 -05:00
parent 8c7901c984
commit 63c9fac9fc
1 changed files with 23 additions and 1 deletions
--- a/docs/nodes/index.md
+++ b/docs/nodes/index.md
@@ -61,6 +61,28 @@ On the node machine:
 openclaw node run --host <gateway-host> --port 18789 --display-name "Build Node"
 ```

+### Remote gateway via SSH tunnel (loopback bind)
+
+If the Gateway binds to loopback (`gateway.bind=loopback`, default in local mode),
+remote node hosts cannot connect directly. Create an SSH tunnel and point the
+node host at the local end of the tunnel.
+
+Example (node host -> gateway host):
+
+```bash
+# Terminal A (keep running): forward local 18790 -> gateway 127.0.0.1:18789
+ssh -N -L 18790:127.0.0.1:18789 user@gateway-host
+
+# Terminal B: export the gateway token and connect through the tunnel
+export OPENCLAW_GATEWAY_TOKEN="<gateway-token>"
+openclaw node run --host 127.0.0.1 --port 18790 --display-name "Build Node"
+```
+
+Notes:
+
+- The token is `gateway.auth.token` from the gateway config (`~/.openclaw/openclaw.json` on the gateway host).
+- `openclaw node run` reads `OPENCLAW_GATEWAY_TOKEN` for auth.
+
 ### Start a node host (service)

 ```bash
@@ -316,4 +338,4 @@ Notes:
 ## Mac node mode

 - The macOS menubar app connects to the Gateway WS server as a node (so `openclaw nodes …` works against this Mac).
- In remote mode, the app opens an SSH tunnel for the Gateway port and connects to `localhost`.
+- In remote mode, the app opens an SSH tunnel for the Gateway port and connects to `localhost`.