Remote gateway setup
This content has been merged into Remote Access. See that page for the current guide.
Running OpenClaw.app with a Remote Gateway
Section titled “Running OpenClaw.app with a Remote Gateway”OpenClaw.app uses SSH tunneling to connect to a remote gateway. This guide shows you how to set it up.
Overview
Section titled “Overview”flowchart TB subgraph Client["Client Machine"] direction TB A["OpenClaw.app"] B["ws://127.0.0.1:18789\n(local port)"] T["SSH Tunnel"]
A --> B B --> T end subgraph Remote["Remote Machine"] direction TB C["Gateway WebSocket"] D["ws://127.0.0.1:18789"]
C --> D end T --> CQuick setup
Section titled “Quick setup”Step 1: Add SSH Config
Section titled “Step 1: Add SSH Config”Edit ~/.ssh/config and add:
Host remote-gateway HostName <REMOTE_IP> # e.g., 172.27.187.184 User <REMOTE_USER> # e.g., jefferson LocalForward 18789 127.0.0.1:18789 IdentityFile ~/.ssh/id_rsaReplace <REMOTE_IP> and <REMOTE_USER> with your values.
Step 2: Copy SSH Key
Section titled “Step 2: Copy SSH Key”Copy your public key to the remote machine (enter password once):
ssh-copy-id -i ~/.ssh/id_rsa <REMOTE_USER>@<REMOTE_IP>Step 3: Configure Remote Gateway Auth
Section titled “Step 3: Configure Remote Gateway Auth”openclaw config set gateway.remote.token "<your-token>"Use gateway.remote.password instead if your remote gateway uses password auth.
OPENCLAW_GATEWAY_TOKEN is still valid as a shell-level override, but the durable
remote-client setup is gateway.remote.token / gateway.remote.password.
Step 4: Start SSH Tunnel
Section titled “Step 4: Start SSH Tunnel”ssh -N remote-gateway &Step 5: Restart OpenClaw.app
Section titled “Step 5: Restart OpenClaw.app”# Quit OpenClaw.app (⌘Q), then reopen:open /path/to/OpenClaw.appThe app will now connect to the remote gateway through the SSH tunnel.
Auto-Start Tunnel on Login
Section titled “Auto-Start Tunnel on Login”To have the SSH tunnel start automatically when you log in, create a Launch Agent.
Create the PLIST file
Section titled “Create the PLIST file”Save this as ~/Library/LaunchAgents/ai.openclaw.ssh-tunnel.plist:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>Label</key> <string>ai.openclaw.ssh-tunnel</string> <key>ProgramArguments</key> <array> <string>/usr/bin/ssh</string> <string>-N</string> <string>remote-gateway</string> </array> <key>KeepAlive</key> <true/> <key>RunAtLoad</key> <true/></dict></plist>Load the Launch Agent
Section titled “Load the Launch Agent”launchctl bootstrap gui/$UID ~/Library/LaunchAgents/ai.openclaw.ssh-tunnel.plistThe tunnel will now:
- Start automatically when you log in
- Restart if it crashes
- Keep running in the background
Legacy note: remove any leftover com.openclaw.ssh-tunnel LaunchAgent if present.
Troubleshooting
Section titled “Troubleshooting”Check if tunnel is running:
ps aux | grep "ssh -N remote-gateway" | grep -v greplsof -i :18789Restart the tunnel:
launchctl kickstart -k gui/$UID/ai.openclaw.ssh-tunnelStop the tunnel:
launchctl bootout gui/$UID/ai.openclaw.ssh-tunnelHow it works
Section titled “How it works”| Component | What It Does |
|---|---|
LocalForward 18789 127.0.0.1:18789 | Forwards local port 18789 to remote port 18789 |
ssh -N | SSH without executing remote commands (just port forwarding) |
KeepAlive | Automatically restarts tunnel if it crashes |
RunAtLoad | Starts tunnel when the agent loads |
OpenClaw.app connects to ws://127.0.0.1:18789 on your client machine. The SSH tunnel forwards that connection to port 18789 on the remote machine where the Gateway is running.