Should I use an SSH tunnel or Direct (wss) for OpenClaw remote links?

Direct (wss) fits when the gateway is reachable on the public internet or your egress already allows WebSocket over TLS: the client uses openclaw onboard --mode remote --remote-url wss://… for the shortest path. An SSH tunnel helps when cross-region wss is blocked from the laptop, or when you need to map a Gateway listening on the remote loopback to your local machine before connecting. They are not mutually exclusive: the tunnel is transport wrapping; the terminal still runs wss client logic.

What does exit status 127 usually mean in OpenClaw troubleshooting?

In POSIX shells, 127 commonly means command not found: openclaw or node is missing from PATH, launchd did not load shell init, or a script shebang points at a missing interpreter. Compare which openclaw, echo $PATH, and launchctl print for the domain; interactive SSH and launchd jobs should share the same absolute paths or a single install prefix.

How do I narrow down Health or doctor reporting Gateway issues?

Run openclaw gateway status and compare with official openclaw doctor output; confirm listen bind (for example 127.0.0.1 only), that the tunnel forwards the expected port, and that the token matches onboard. Across regions, rule out DNS/TLS and corporate proxies cutting long-lived connections before blaming the app layer.

Why does Web Chat or a browser tool fail while the CLI works?

Mixed content policies, extensions blocking WebSocket, reverse proxies missing Upgrade, or a mismatch between the browser origin and the CLI remote-url. Put the browser origin, CLI wss endpoint, and SSH local forward target in one table and align them line by line.

What matters for daemon persistence on a Mac cloud host?

Follow official install/onboard and gateway install docs; use a LaunchAgent for residency; ensure the run user can write logs and the workspace. After reboot, run openclaw gateway status again. Avoid multiple plists binding the same listen port.

How do US East, US West, and APAC affect wss feel in selection?

Align the Gateway region with the people driving interactive work when possible; if repos and artifacts live in North America but operators sit in APAC, a direct trans-Pacific wss can still show high RTT—consider parallel splits: gateway in North America, APAC members using short-window VNC or a tunnel for acceptance. Concrete nodes follow your console.

Does M4 16GB vs 24GB change tunnel vs direct?

The link type is not memory-bound; the difference shows up under concurrent tools, browser sidecars, indexes, and stacked channels. 16GB suits single-session validation; 24GB reduces swap tail latency and Health jitter when a resident Gateway runs with parallel tools.

How do 1TB vs 2TB and parallel resources reduce perceived link instability?

Large disks reduce non-network failures from logs and caches filling the root volume; parallel splits decouple heavy compile and artifact upload from the Gateway, lowering CPU/IO and resident memory contention so issues are not misread as unstable wss. Fix cache roots and artifact paths in the runbook.

What is the official remote onboard command example?

CLI docs show: openclaw onboard --mode remote --remote-url wss://gateway-host:18789. Cleartext ws and OPENCLAW_ALLOW_INSECURE_PRIVATE_WS are break-glass only per the documented threat model. See https://docs.openclaw.ai/cli/onboard and Remote gateway setup.

How does this pair with the install runbook?

Finish install with openclaw doctor and gateway status as a baseline, then read this article for transport topology. Install steps live in the on-site follow-along OpenClaw Mac cloud host install article; both share the same official anchors.

2026 OpenClaw remote link path | SSH tunnel vs Direct wss US East West APAC M4

After OpenClaw is installed, the next gate is usually the remote link: how your laptop, CI bastion, or another Mac reaches a Gateway on a Vuncloud M4 cloud host (or the reverse: operators in APAC with a gateway in North America). Direct (wss) runs TLS and WebSocket in one hop—shortest path. An SSH tunnel (typically -L local port forwarding) replaces “cross-public wss” with “SSH into the machine first, then speak on local loopback.” This article puts both modes in one decision matrix, ties in US East, US West, and APAC follow-along placement, M4 16GB vs 24GB, 1TB/2TB and parallel resources, launchd daemon persistence, and FAQ for exit 127, Health, and Web Chat style failures. Facts stay anchored to Install, onboard CLI, and Remote gateway setup; the prior install runbook is OpenClaw on a Mac cloud host—install, SSH/VNC verify, regions, M4 RAM, storage & parallel FAQ.

Link patterns (SSH tunnel / Direct wss)

Structured FAQ (incl. 127 / Health / Web Chat)

HowTo (tunnel / direct)

Search intent: fix egress constraints before choosing transport

People often pit “SSH” against “wss.” More precisely: wss remains the application protocol between the OpenClaw client and the Gateway; SSH only substitutes the public path or moves the remote loopback port to your laptop loopback in some networks. Align on evidence with the table below, then change config.

What you see	Likely primary cause	Try first
wss handshake fails on corporate Wi‑Fi; mobile hotspot works	Egress blocks WebSocket/TLS or a proxy swaps certificates	Compliance allow-list; or an approved SSH tunnel around the blocked direct segment
Trans-ocean direct connects but drops often	High RTT plus middlebox idle timeouts; or single-host CPU/IO saturation	Align gateway region with operators; split parallel roles; use official gateway logging guidance
Only launchd fails; interactive SSH is fine	PATH differs from shell init (common exit 127)	Absolute paths in the plist or one install prefix; print launchctl environment
Browser Web Chat breaks; CLI is fine	Mixed content, extensions, or wrong browser origin	Align wss URL, certificates, and reverse-proxy Upgrade settings

How this relates to Vuncloud (qualitative)

Vuncloud offers dedicated Mac mini (M4 family) in US East, US West, and major APAC footprints. Where you place the Gateway should follow both your operators and the hot path to artifacts and model APIs; SKUs are on the plans and pricing page. Provisioning and remote session notes are in the help center.

SSH tunnel vs Direct (wss): comparison and boundaries

Here, Direct means the client follows official remote onboard to a wss:// endpoint. SSH tunnel means you maintain ssh -L (or equivalent), map the remote port to localhost, then connect. Port examples follow common CLI doc patterns—replace with your real gateway settings.

Dimension	Direct (wss)	SSH tunnel (-L)
Hops	Few: TLS straight to the gateway or termination point	Extra SSH layer; can bypass “laptop cannot reach cross-region wss”
Ops mental load	Certificates, DNS, token, and official doctor output are the source of truth	You also supervise tunnel liveness and local port drift
Security and compliance	Follow enterprise TLS and key rotation baselines	SSH needs MFA, jump hosts, and audit too; avoid stacking cleartext on both ends
Typical fit	Egress allows it; listen address and certs are ready	Temporary triage, messy cross-region DNS, or policy that only allows SSH

Direct (wss): minimal command and doc anchors

Official remote mode example is in onboard:

remote onboard (official shape)

openclaw onboard --mode remote --remote-url wss://gateway-host:18789

Cleartext ws:// and OPENCLAW_ALLOW_INSECURE_PRIVATE_WS belong only under the documented threat model; production defaults should follow upstream security guidance.

SSH tunnel: bring the remote Gateway to local loopback

When the Gateway listens only on remote 127.0.0.1 and you want to treat it like a local service from a laptop, local forwarding is the usual pattern (substitute real ports):

SSH local port forward (example)

# Laptop: map remote 127.0.0.1:18789 to local 18789
ssh -N -L 18789:127.0.0.1:18789 user@vuncloud-remote-host

Then point remote-url at wss://127.0.0.1:18789 or the documented form. If TLS terminates outside SSH, still follow official certificate checks—avoid “self-signed plus globally disable verification” combinations that are hard to audit.

US East, US West, APAC: one diagram for gateway vs operator

Region nuance also appears in the field notes Mac cloud host region and rental decisions and the CI/CD article Mac cloud host CI/CD. For OpenClaw, one line matters: wss RTT and loss amplify on tool round-trips. Trans-ocean is workable if you keep high-frequency interaction near people and batch or outbound channels near repos and APIs.

M4 16GB vs 24GB; 1TB/2TB; parallel splits: when the link “looks unstable”

Memory and disk do not change the wss protocol, but they change whether you misread swap churn, a full root volume, or multi-job contention as a network fault. Rule of thumb: a resident Gateway plus browser tools and parallel indexing favors 24GB for tail latency; 1TB/2TB absorbs logs, caches, and multi-version toolchains. Parallel instances split roles, cut single-host contention, and reduce false Health positives from CPU starvation.

Topology	Which “fake link” issues it helps	Cost
Single-host Direct wss	Simplest link; smallest triage surface	Build spikes can contend with Gateway I/O
Two-node parallel: A gateway / B heavy jobs	Smoother queues and Health	Tokens, cache roots, and certs must live in the runbook
Laptop SSH tunnel to a North America gateway	When egress only allows SSH	When the tunnel dies, everything dies—watch autossh, systemd, or Terminal sessions

Daemon persistence (launchd) and the gap where “only SSH works”

Official paths include openclaw onboard --install-daemon and launchd/LaunchAgent guidance in gateway install docs. Acceptance checklist:

Right after reboot, run openclaw gateway status—do not rely on memory of a manual start.
Use the same absolute Node/OpenClaw paths in launchd as in an interactive shell, or one official prefix installer, to avoid exit 127.
Confirm log directory and workspace permissions per official macOS logging docs.

FAQ: exit 127, Health, Web Chat, and cross-cutting tunnel/wss triage

Each item: symptom → quick read → action. Matches inline FAQPage JSON-LD.

exit 127 under launchd or cron → PATH missing openclaw / Node → absolute paths in the plist; compare which openclaw with interactive SSH.
exit 127 in a script child only → bad shebang or env → call /usr/bin/env node explicitly or fix the interpreter path.
doctor / Health says Gateway bad but tunnel is down → remote-url still targets 127.0.0.1 → start SSH -L before status commands.
Web Chat cannot connect → wrong host / mixed content / extensions → align WebSocket frames in DevTools; retry with blockers disabled.
Intermittent 401/403 or wrong token on direct → multiple config sources → converge on one file and one env source.
Enterprise TLS MITM → OS does not trust custom root → import per policy or use the documented termination pattern.

Risk switches

Cleartext ws://, disabled certificate validation, and break-glass environment variables belong only under an explicit threat model and change ticket; defaults should follow official security defaults.

Close-out and further reading

Suggested order: pick region and gateway placement → choose Direct or SSH wrapping → fix daemon and PATH → baseline with doctor/status → then tune 16/24GB, disk, and parallel splits. Pricing and regions: https://vuncloud.com/en/mac-mini-rental.html; self-serve docs: https://vuncloud.com/en/help-center.html.