[Feature]: Hetzner guide: SSH tunnel requires `AllowTcpForwarding` to be enabled in sshd config

[blackstrype]

Summary

The Hetzner guide recommends accessing the OpenClaw gateway via SSH tunnel, but does not mention that AllowTcpForwarding must be enabled in the VPS sshd config for this to work.

Problem to solve

https://docs.openclaw.ai/install/hetzner

Users who follow SSH hardening best practices will hit this silently:

channel 3: open failed: administratively prohibited: open failed

This error gives no indication that sshd config is the cause.

Proposed solution

Add a prerequisite note to the SSH tunnel step in the Hetzner guide:

Prerequisite: Ensure your VPS sshd config allows TCP forwarding. If you have hardened your SSH config, set AllowTcpForwarding local (allows inbound port forwarding from your work machine, blocks outbound). Setting it to no will cause the tunnel to fail.

Where in the docs

Hetzner guide → Step 8 (Hetzner-specific access), before the tunnel command:

ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP

Alternatives considered

An alternative is to use the terraform and/or docker configs proposed at the end of the documentation. But if the intent is to control and master the setup of openclaw on a host machine with docker, the hetzner-specific doc may need adjustments that likely apply to all cloud-hosted environments

Impact

Environment

• Hetzner Ubuntu 22.04 VPS
• OpenClaw latest (March 2026)
• SSH key auth only, hardened sshd config

Evidence/examples

xxx@ubuntu-4gb-hel1-1:~$ channel 3: open failed: administratively prohibited: open failed
channel 3: open failed: administratively prohibited: open failed

Additional information

No response

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Close as duplicate/superseded by the existing open docs PR #54564. Current main still lacks the requested Hetzner AllowTcpForwarding note, but #54564 already directly tracks the same docs-only fix and explicitly closes #54557; #54954 is a second open duplicate PR for the same gap.

Best possible solution:

Use PR #54564 as the canonical tracker for the docs fix, converge or close the duplicate PR #54954 as appropriate, and land the Hetzner AllowTcpForwarding local prerequisite in docs/install/hetzner.md after normal docs review.

What I checked:

• Current Hetzner docs still contain the affected tunnel step: docs/install/hetzner.md Step "Hetzner-specific access" tells users to run ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP and then open localhost, with no prerequisite note before the command. (docs/install/hetzner.md:220, be1d656514aa)
• Requested wording is not already present on main: A targeted docs search found SSH tunnel commands but no AllowTcpForwarding or administratively prohibited documentation in the relevant install/gateway/help docs. (be1d656514aa)
• Canonical PR already tracks the same remaining work: GitHub context shows open PR docs: add AllowTcpForwarding prerequisite to Hetzner SSH tunnel step #54564, docs: add AllowTcpForwarding prerequisite to Hetzner SSH tunnel step, changes docs/install/hetzner.md, explicitly says Closes #54557, and describes the same hardened-sshd failure and proposed prerequisite note. (docs/install/hetzner.md, b41adf6e3caf)
• Duplicate PR also exists: GitHub context also shows open PR docs: add AllowTcpForwarding requirement to Hetzner SSH tunnel guide #54954, docs: add AllowTcpForwarding requirement to Hetzner SSH tunnel guide, which also says Closes #54557, confirming the issue is already represented by PR work. (e911158acf6e)

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against be1d656514aa.