docs: add AllowTcpForwarding prerequisite to Hetzner SSH tunnel step

[BingqingLyu]

Summary

• Problem: The Hetzner guide recommends accessing the gateway via SSH tunnel but does not mention that AllowTcpForwarding must be enabled in the VPS sshd config for this to work.
• Why it matters: Users with hardened SSH configs hit a silent, cryptic failure - channel 3: open failed: administratively prohibited: open failed - with no indication that sshd config is the cause.
• What changed: Added a prerequisite note to the SSH tunnel step in the Hetzner guide explaining the AllowTcpForwarding setting, the exact error they will see if it is disabled, and a systemctl restart sshd reminder.
• What did NOT change: No code changes. Docs only.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Feature]: Hetzner guide: SSH tunnel requires AllowTcpForwarding to be enabled in sshd config openclaw/openclaw#54557

Root Cause / Regression History (if applicable)

N/A - docs gap, not a regression.

Regression Test Plan (if applicable)

N/A

User-visible / Behavior Changes

Users following the Hetzner guide now see a prerequisite note about AllowTcpForwarding before the tunnel command.

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No

Repro + Verification

Environment

• OS: Hetzner Ubuntu 22.04 VPS with hardened sshd config
• Runtime/container: N/A (docs only)

Steps

1. Follow Hetzner guide with hardened sshd (AllowTcpForwarding no)
2. Run ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP
3. See channel 3: open failed: administratively prohibited: open failed

Expected

• Docs warn about this requirement before the tunnel command

Actual (before fix)

• No mention of AllowTcpForwarding anywhere in the guide

Evidence

• Failing test/log before + passing after
• Trace/log snippets (error message in issue [Feature]: Hetzner guide: SSH tunnel requires AllowTcpForwarding to be enabled in sshd config openclaw/openclaw#54557)
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: confirmed the exact error message matches the issue report and that AllowTcpForwarding local is the minimal safe setting for this use case
• Edge cases checked: AllowTcpForwarding yes also works but is broader than needed; local is the right recommendation for this setup
• What you did not verify: live VPS test (docs-only change)

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: Revert docs/install/hetzner.md
• Known bad symptoms reviewers should watch for: None

Risks and Mitigations

None - docs-only change.