diff --git a/docs/nodes/index.md b/docs/nodes/index.md
index a60a9ce30d..d471f3d829 100644
--- a/docs/nodes/index.md
+++ b/docs/nodes/index.md
@@ -61,6 +61,28 @@ On the node machine:
 openclaw node run --host <gateway-host> --port 18789 --display-name "Build Node"
 ```
 
+### Remote gateway via SSH tunnel (loopback bind)
+
+If the Gateway binds to loopback (`gateway.bind=loopback`, default in local mode),
+remote node hosts cannot connect directly. Create an SSH tunnel and point the
+node host at the local end of the tunnel.
+
+Example (node host -> gateway host):
+
+```bash
+# Terminal A (keep running): forward local 18790 -> gateway 127.0.0.1:18789
+ssh -N -L 18790:127.0.0.1:18789 user@gateway-host
+
+# Terminal B: export the gateway token and connect through the tunnel
+export OPENCLAW_GATEWAY_TOKEN="<gateway-token>"
+openclaw node run --host 127.0.0.1 --port 18790 --display-name "Build Node"
+```
+
+Notes:
+
+- The token is `gateway.auth.token` from the gateway config (`~/.openclaw/openclaw.json` on the gateway host).
+- `openclaw node run` reads `OPENCLAW_GATEWAY_TOKEN` for auth.
+
 ### Start a node host (service)
 
 ```bash
@@ -316,4 +338,4 @@ Notes:
 ## Mac node mode
 
 - The macOS menubar app connects to the Gateway WS server as a node (so `openclaw nodes …` works against this Mac).
-- In remote mode, the app opens an SSH tunnel for the Gateway port and connects to `localhost`.
+- In remote mode, the app opens an SSH tunnel for the Gateway port and connects to `localhost`.
\ No newline at end of file