Teams increasingly split responsibilities: the OpenClaw gateway runs on a dedicated macOS host—often a rented cloud Mac mini—while engineers invoke openclaw from laptops or CI runners. SSH port forwarding bridges the gap without publishing the gateway to the public internet: your local CLI talks to 127.0.0.1, and OpenSSH maps that socket to the remote loopback where the daemon listens. This playbook covers tunnel patterns, latency budgets, health probes, and how the setup intersects with macOS privacy prompts. Read it alongside gateway onboarding and TCC and wire observability using gateway health monitoring so synthetic checks fail before humans notice chat-backlog delays.
Why tunnel instead of exposing ports
Binding the gateway to 0.0.0.0 on a cloud VM invites port scans and misconfigured firewall rules. Loopback binding plus SSH leverages existing key-based authentication, rate limits inherited from sshd, and optional jump hosts for compliance. For WebSocket-heavy gateways, ensure idle timeouts on load balancers do not apply to your tunnel—most failures masquerade as mysterious disconnects in the CLI.
CI pipelines benefit because secrets stay in the runner’s environment: inject a short-lived SSH key, establish the tunnel step, run openclaw doctor, then tear everything down. Document the exact remote port in your runbook footer so on-call engineers do not guess between 18789 and a custom value after upgrades.
SSH local forward recipe
Assume the gateway listens on 127.0.0.1:18789 on the remote Mac. From your laptop:
ssh -N -L 18789:127.0.0.1:18789 [email protected]Then point OPENCLAW_GATEWAY_URL (or the CLI flag your version uses) at ws://127.0.0.1:18789. Add -o ServerAliveInterval=30 to keep NAT middleboxes from silently dropping long-lived forwards during overnight jobs.
For teams using Tailscale or ZeroTier, you may skip SSH when policy allows—but then you must still restrict who can reach the gateway IP. Tunnels remain attractive because they reuse SSH audit logs you already ship to your SIEM.
Windows and Linux developers can use the same forward pattern; the critical detail is consistent WebSocket upgrade headers through the tunnel. When corporate proxies break WebSockets, wrap SSH in ProxyCommand to exit through your bastion before hitting the Mac. Document the full command line in your internal wiki—partial snippets are how junior engineers accidentally forward to the wrong remote port after a gateway reinstall.
Automation tip: systemd user units or macOS LaunchAgents on the client side can keep tunnels alive during long jobs. Pair them with autossh or equivalent wrappers that exponential-backoff reconnects without hammering sshd. Log each reconnect with the gateway version string so support can correlate outages with releases.
Latency and SLO table
| Path | Typical p95 RTT | Operational note |
|---|---|---|
| Same metro cloud region | 20–60 ms | Feels native for most CLI commands. |
| Cross-region SSH | 120–220 ms | May need larger timeouts on tool calls. |
| Hotel Wi-Fi + VPN | 250+ ms | Expect agent retries; widen heartbeat windows. |
Align these numbers with the synthetic probes described in your health monitoring article: if p95 crosses 250 ms for five minutes, page someone before Slack channels flood with “laggy bot” messages.
Token streaming from LLM providers adds another layer: high RTT inflates time-to-first-token even when the gateway is healthy. Capture both gateway ping and model endpoint latency in one dashboard so you do not chase SSH issues when the real bottleneck is cross-region API routing.
Load testing: replay recorded CLI sessions against a staging mini with artificial delay (tc netem on Linux jump hosts) to find timeouts in your tool wrappers. Static marketing teams rarely do this—agent teams should, because a 2-second sleep in a plugin becomes unbearable at 300 ms RTT.
Operations on a rented mini
Rented Mac minis reset or resize disks more often than corporate laptops. Snapshot before gateway upgrades, export ~/.openclaw, and keep LaunchAgent plists under version control. When two engineers share one mini, namespace SSH keys and tunnel ports so afternoon demos do not collide with overnight CI.
Budget 30–45 minutes weekly on interactive VNC to clear TCC prompts that never trigger over SSH alone—especially after macOS minor updates. Short rental bursts average about $16.9/day, which is cheaper than missing a customer demo because accessibility permission silently revoked.
Security: rotating API keys should not require rebooting the entire host; restart only the gateway job. Pair tunnel documentation with firewall egress tests—some cloud providers block outbound WebSockets unless you file a ticket.
Observability: ship tunnel uptime metrics if you wrap SSH in systemd or launchd on the client side. Alert on reconnect loops, not single blips.
Disaster recovery: tarball state directories nightly with client-side encryption; test restores on a disposable mini quarterly. Document which environment variables must change when the forwarded local port shifts.
Collaboration: post-mortems should capture CLI version, gateway hash, SSH client flags, and whether health checks were green—those five facts close most repeat tickets.
Version skew remains the silent killer: npm-global CLI updates while the remote gateway binary stays pinned by LaunchAgent. After tunneling, run openclaw doctor until versions align; mismatched flags surface as cryptic WebSocket close codes. Keep a single toolchain lockfile checked into infra repos so CI and humans pull the same artifact.
Secrets hygiene: never export provider API keys into shell history on shared jump boxes; use ephemeral env injection or a vault sidecar. SSH tunnels do not encrypt application payloads if your gateway speaks plain HTTP—terminate TLS appropriately or tunnel stunnel if policy demands end-to-end encryption beyond SSH.
Finally, teach on-call to distinguish “tunnel down” from “gateway unhealthy”: the former breaks immediately at TCP connect time; the latter often shows established sockets but failing health responses. Split alerts so responders grab the right runbook first.
Documentation deliverable: add a one-page diagram showing laptop → bastion → cloud mini → gateway process → model provider, with port numbers and TLS boundaries highlighted. New hires should be able to reproduce your tunnel command on day one without asking in Slack.
Regression checklist before each release: rotate a throwaway API key through the tunneled CLI, verify streaming tokens arrive, and confirm filesystem sandbox paths still resolve on Sonoma versus Sequoia hosts.
Capture screenshots of successful handshakes in your release notes so auditors can trace each change without shell access.
FAQ
Should the gateway listen on 0.0.0.0 when using SSH tunnels?
Prefer loopback binding on the remote host and forward through SSH; avoid exposing the gateway port on the public interface unless firewall and TLS policies explicitly require it.
How much latency is acceptable over a tunnel?
Interactive use degrades above roughly 150–250 ms p95; measure with the same probes as production monitoring.
Does macOS TCC still apply on the cloud Mac?
Yes—complete prompts on the machine where the gateway runs, often via VNC, following onboarding guidance.
Mac mini on Apple Silicon is the natural home for always-on OpenClaw gateways: low power, quiet cooling, and native macOS toolchains. MacHTML rents bare-metal minis with SSH/VNC so you can rehearse tunnel + gateway setups without buying hardware—spin up, validate latency and health checks, tear down when the sprint ends.
OpenClaw gateway on a cloud Mac mini
Rent Mac mini time to practice SSH tunnels, gateway health probes, and doctor-backed diagnostics on real macOS.