Skip to content

Commit ab5c802

Browse files
satishkc7satishkc7
authored
docs: add AllowTcpForwarding prerequisite to Hetzner SSH tunnel step
Fixes #54557; carries forward #54564; refs #54954. Thanks @satishkc7, @blackstrype, and @Aftabbs.
1 parent 7475b27 commit ab5c802

2 files changed

Lines changed: 17 additions & 1 deletion

File tree

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ Docs: https://docs.openclaw.ai
1313

1414
### Fixes
1515

16+
- Docs/Hetzner: clarify that SSH tunnel access requires `AllowTcpForwarding local` before running `ssh -L`, so hardened VPS sshd configs do not block loopback Gateway access. Fixes #54557; carries forward #54564; refs #54954. Thanks @satishkc7, @blackstrype, and @Aftabbs.
1617
- Gateway/shutdown: report structured shutdown warnings and HTTP close timeout warnings through `ShutdownResult` while preserving lifecycle hook hardening. Carries forward #41296. Thanks @edenfunf.
1718
- Plugins/QA: prebuild the private QA channel runtime before plugin gauntlet source runs so wrapper CPU/RSS measurements are not polluted by private QA dist rebuild work. Thanks @vincentkoc.
1819
- Gateway/reload: bound default restart deferral and SIGUSR1 restart drain to five minutes while preserving explicit `deferralTimeoutMs: 0` indefinite waits, so stale active work accounting cannot block config reloads forever. Thanks @vincentkoc.

docs/install/hetzner.md

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -218,7 +218,22 @@ For the generic Docker flow, see [Docker](/install/docker).
218218
</Step>
219219

220220
<Step title="Hetzner-specific access">
221-
After the shared build and launch steps, tunnel from your laptop:
221+
After the shared build and launch steps, complete the following setup to open the tunnel:
222+
223+
**Prerequisite:** Ensure your VPS sshd config allows TCP forwarding. If you
224+
have hardened your SSH config, check `/etc/ssh/sshd_config` and set:
225+
226+
```
227+
AllowTcpForwarding local
228+
```
229+
230+
`local` allows `ssh -L` local forwards from your laptop while blocking
231+
remote forwards from the server. Setting it to `no` will fail the tunnel
232+
with:
233+
`channel 3: open failed: administratively prohibited: open failed`
234+
235+
After confirming TCP forwarding is enabled, restart the SSH service
236+
(`systemctl restart ssh`) and run the tunnel from your laptop:
222237

223238
```bash
224239
ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP

0 commit comments

Comments
 (0)